From f53a6bea21bf8c7c2870d61c4a3afe60533f49b2 Mon Sep 17 00:00:00 2001 From: Thomas Darimont Date: Thu, 21 Nov 2024 09:33:07 +0100 Subject: [PATCH] Add support for realm normalization This is a squash of the commits from multiple repositories: Original PR by sonOfRa: https://github.com/adorsys/keycloak-config-cli/pull/818 Adaptations by thomasdarimont: https://github.com/thomasdarimont/keycloak-config-cli/tree/feature/realm-normalization Fixes #799 Co-authored-by: Simon Levermann Signed-off-by: Thomas Darimont --- .gitignore | 1 + docs/FEATURES.md | 1 + docs/NORMALIZE.md | 123 + pom.xml | 50 +- .../config/KeycloakConfigApplication.java | 5 +- .../KeycloakConfigNormalizationRunner.java | 126 + .../keycloak/config/KeycloakConfigRunner.java | 10 + .../NormalizationConfiguration.java | 137 + .../exception/NormalizationException.java | 31 + ...edAuthenticationFlowWorkaroundFactory.java | 2 + .../model/AuthenticationFlowImport.java | 2 + .../keycloak/config/model/RealmImport.java | 2 + .../properties/ImportConfigProperties.java | 56 +- .../properties/KeycloakConfigProperties.java | 23 +- .../NormalizationConfigProperties.java | 107 + ...NormalizationKeycloakConfigProperties.java | 47 + .../properties/RunConfigProperties.java | 44 + .../config/provider/BaselineProvider.java | 111 + .../provider/KeycloakExportProvider.java | 232 ++ .../provider/KeycloakImportProvider.java | 2 + .../config/provider/KeycloakProvider.java | 2 + .../AuthenticationFlowRepository.java | 2 + .../AuthenticatorConfigRepository.java | 2 + .../repository/ClientPoliciesRepository.java | 2 + .../config/repository/ClientRepository.java | 2 + .../repository/ClientScopeRepository.java | 2 + .../repository/ComponentRepository.java | 2 + .../repository/ExecutionFlowRepository.java | 2 + .../config/repository/GroupRepository.java | 2 + .../IdentityProviderMapperRepository.java | 2 + .../IdentityProviderRepository.java | 2 + .../config/repository/RealmRepository.java | 8 + .../repository/RequiredActionRepository.java | 2 + .../repository/RoleCompositeRepository.java | 2 + .../config/repository/RoleRepository.java | 2 + .../repository/ScopeMappingRepository.java | 2 + .../config/repository/StateRepository.java | 2 + .../repository/UserProfileRepository.java | 2 + .../config/repository/UserRepository.java | 2 + .../AuthenticationFlowsImportService.java | 2 + .../AuthenticatorConfigImportService.java | 2 + .../ClientAuthorizationImportService.java | 2 + .../config/service/ClientImportService.java | 2 + .../service/ClientPoliciesImportService.java | 2 + .../service/ClientScopeImportService.java | 2 + .../ClientScopeMappingImportService.java | 2 + .../service/ComponentImportService.java | 2 + .../service/DefaultGroupsImportService.java | 2 + .../service/ExecutionFlowsImportService.java | 2 + .../config/service/GroupImportService.java | 2 + .../IdentityProviderImportService.java | 2 + .../service/MessageBundleImportService.java | 2 + .../config/service/RealmImportService.java | 2 + .../service/RequiredActionsImportService.java | 2 + .../config/service/RoleImportService.java | 2 + .../service/ScopeMappingImportService.java | 2 + .../config/service/UserImportService.java | 2 + .../service/UserProfileImportService.java | 2 + .../service/checksum/ChecksumService.java | 2 + .../AttributeNormalizationService.java | 96 + .../AuthFlowNormalizationService.java | 238 ++ .../normalize/ClientNormalizationService.java | 169 ++ .../ClientPolicyNormalizationService.java | 49 + .../ClientScopeNormalizationService.java | 107 + .../ComponentNormalizationService.java | 90 + .../normalize/GroupNormalizationService.java | 141 + .../IdentityProviderNormalizationService.java | 149 ++ .../ProtocolMapperNormalizationService.java | 82 + .../normalize/RealmNormalizationService.java | 211 ++ .../RequiredActionNormalizationService.java | 77 + .../normalize/RoleNormalizationService.java | 161 ++ .../ScopeMappingNormalizationService.java | 117 + .../UserFederationNormalizationService.java | 154 ++ .../client/ClientCompositeImport.java | 2 + .../ClientRoleCompositeImportService.java | 2 + .../client/RealmCompositeImport.java | 2 + .../realm/ClientCompositeImport.java | 2 + .../realm/RealmCompositeImport.java | 2 + .../RealmRoleCompositeImportService.java | 2 + .../config/service/state/StateService.java | 2 + .../keycloak/config/util/JaversUtil.java | 42 + .../application-normalize-dev.properties | 6 + src/main/resources/application.properties | 2 + .../baseline/19.0.3/client/client.json | 45 + .../baseline/19.0.3/realm/realm.json | 2176 +++++++++++++++ .../baseline/20.0.3/client/client.json | 45 + .../baseline/20.0.3/realm/realm.json | 2188 +++++++++++++++ .../baseline/25.0.5/client/client.json | 59 + .../baseline/25.0.5/realm/realm.json | 2355 +++++++++++++++++ .../NormalizeTestConfiguration.java | 35 + .../configuration/TestConfiguration.java | 2 + .../normalize/AbstractNormalizeTest.java | 47 + .../AuthFlowNormalizationServiceConfigIT.java | 100 + .../AuthFlowNormalizationServiceFlowIT.java | 72 + .../test/util/KeycloakAuthentication.java | 2 + .../config/test/util/KeycloakRepository.java | 2 + .../application-normalize-IT.properties | 3 + .../exported-realm/25.0.1/master-realm.json | 942 +++---- .../exported-realm/25.0.5/master-realm.json | 1833 +++++++++++++ 99 files changed, 12499 insertions(+), 508 deletions(-) create mode 100644 docs/NORMALIZE.md create mode 100644 src/main/java/de/adorsys/keycloak/config/KeycloakConfigNormalizationRunner.java create mode 100644 src/main/java/de/adorsys/keycloak/config/configuration/NormalizationConfiguration.java create mode 100644 src/main/java/de/adorsys/keycloak/config/exception/NormalizationException.java create mode 100644 src/main/java/de/adorsys/keycloak/config/properties/NormalizationConfigProperties.java create mode 100644 src/main/java/de/adorsys/keycloak/config/properties/NormalizationKeycloakConfigProperties.java create mode 100644 src/main/java/de/adorsys/keycloak/config/properties/RunConfigProperties.java create mode 100644 src/main/java/de/adorsys/keycloak/config/provider/BaselineProvider.java create mode 100644 src/main/java/de/adorsys/keycloak/config/provider/KeycloakExportProvider.java create mode 100644 src/main/java/de/adorsys/keycloak/config/service/normalize/AttributeNormalizationService.java create mode 100644 src/main/java/de/adorsys/keycloak/config/service/normalize/AuthFlowNormalizationService.java create mode 100644 src/main/java/de/adorsys/keycloak/config/service/normalize/ClientNormalizationService.java create mode 100644 src/main/java/de/adorsys/keycloak/config/service/normalize/ClientPolicyNormalizationService.java create mode 100644 src/main/java/de/adorsys/keycloak/config/service/normalize/ClientScopeNormalizationService.java create mode 100644 src/main/java/de/adorsys/keycloak/config/service/normalize/ComponentNormalizationService.java create mode 100644 src/main/java/de/adorsys/keycloak/config/service/normalize/GroupNormalizationService.java create mode 100644 src/main/java/de/adorsys/keycloak/config/service/normalize/IdentityProviderNormalizationService.java create mode 100644 src/main/java/de/adorsys/keycloak/config/service/normalize/ProtocolMapperNormalizationService.java create mode 100644 src/main/java/de/adorsys/keycloak/config/service/normalize/RealmNormalizationService.java create mode 100644 src/main/java/de/adorsys/keycloak/config/service/normalize/RequiredActionNormalizationService.java create mode 100644 src/main/java/de/adorsys/keycloak/config/service/normalize/RoleNormalizationService.java create mode 100644 src/main/java/de/adorsys/keycloak/config/service/normalize/ScopeMappingNormalizationService.java create mode 100644 src/main/java/de/adorsys/keycloak/config/service/normalize/UserFederationNormalizationService.java create mode 100644 src/main/java/de/adorsys/keycloak/config/util/JaversUtil.java create mode 100644 src/main/resources/application-normalize-dev.properties create mode 100644 src/main/resources/baseline/19.0.3/client/client.json create mode 100644 src/main/resources/baseline/19.0.3/realm/realm.json create mode 100644 src/main/resources/baseline/20.0.3/client/client.json create mode 100644 src/main/resources/baseline/20.0.3/realm/realm.json create mode 100644 src/main/resources/baseline/25.0.5/client/client.json create mode 100644 src/main/resources/baseline/25.0.5/realm/realm.json create mode 100644 src/test/java/de/adorsys/keycloak/config/configuration/NormalizeTestConfiguration.java create mode 100644 src/test/java/de/adorsys/keycloak/config/normalize/AbstractNormalizeTest.java create mode 100644 src/test/java/de/adorsys/keycloak/config/service/normalize/AuthFlowNormalizationServiceConfigIT.java create mode 100644 src/test/java/de/adorsys/keycloak/config/service/normalize/AuthFlowNormalizationServiceFlowIT.java create mode 100644 src/test/resources/application-normalize-IT.properties create mode 100644 src/test/resources/import-files/exported-realm/25.0.5/master-realm.json diff --git a/.gitignore b/.gitignore index 336b753a9..835791c49 100644 --- a/.gitignore +++ b/.gitignore @@ -19,3 +19,4 @@ release.properties /*.json /test* +/exports diff --git a/docs/FEATURES.md b/docs/FEATURES.md index ab05ea621..429b354bb 100644 --- a/docs/FEATURES.md +++ b/docs/FEATURES.md @@ -57,6 +57,7 @@ | Synchronize user profile | 5.4.0 | Synchronize the user profile configuration defined on the realm configuration | | Synchronize client-policies | 5.6.0 | Synchronize the client-policies (clientProfiles and clientPolicies) while updating realms | | Synchronize message bundles | 5.12.0 | Synchronize message bundles defined on the realm configuration | +| Normalize realm exports | x.x.x | Normalize a full realm export to be more minimal | # Specificities diff --git a/docs/NORMALIZE.md b/docs/NORMALIZE.md new file mode 100644 index 000000000..0df106179 --- /dev/null +++ b/docs/NORMALIZE.md @@ -0,0 +1,123 @@ +# Realm normalization + +Realm normalization is a feature that is supposed to aid users in migrating from an "unmanaged" Keycloak installation, +to an installation managed by keycloak-config-cli. +To achieve this, it uses a full [realm export](https://www.keycloak.org/server/importExport#_exporting_a_specific_realm) +as an input, and only retains things that deviate from the default + +## Usage + +To run the normalization, run keycloak-config-cli with the CLI option `--run.operation=NORMALIZE`. +The default value for this option is `IMPORT`, which will run the regular keycloak-config-cli import. + +### Configuration options + +| Configuration key | Purpose | Example | +|--------------------------------------|-----------------------------------------------------------------------------------------------------------------|---------------| +| run.operation | Tell keycloak-config-cli to normalize, rather than import | NORMALIZE | +| normalization.files.input-locations | Which realm files to import | See IMPORT.md | +| normalization.files.output-directory | Where to save output realm files | ./exports/out | +| normalization.output-format | Whether to output JSON or YAML. Default value is YAML | YAML | +| normalization.fallback-version | Use this version as a baseline of keycloak version in realm is not available as baseline in keycloak-config-cli | 19.0.3 | + +### Unimplemented Features +- Components: + - Currently, keycloak-config-cli will not yet look at the `components` section of the exported JSON + - Therefore, some things (like LDAP federation configs and Key providers) are missing from the normalized YAML +- Users + - Users are not currently considered by normalization. + +## Missing entries +keycloak-config-cli will WARN if components that are present in a realm by default are missing from an exported realm. +An example of such a message is: +``` +Default realm requiredAction 'webauthn-register-passwordless' was deleted in exported realm. It may be reintroduced during import +``` +Messages like these will often show up when using keycloak-config-cli to normalize an import from an older version of Keycloak, and compared to a newer baseline. +In the above case, the Keycloak version is 18.0.3, and the baseline for comparison was 19.0.3. +Since the webauthn feature was not present (or enabled by default) in the older version, this message is mostly informative. +If a message like this appears on a component that was *not* deleted or should generally be present, this may indicate a bug in keycloak-config-cli. + +## Cleaning of invalid data +Sometimes, realms of existing installations may contain invalid data, due to faulty migrations, or due to direct interaction with the database, +rather than the Keycloak API. +When such problems are found, we attempt to handle them in keycloak-config-cli, or at least notify the user about the existence of these problems. + +### SAML Attributes on clients +While not necessarily invalid, openid-connect clients that were created on older Keycloak versions, will sometimes contain +SAML-related attributes. These are filtered out by keycloak-config-cli. + +### Unused non-top-level Authentication Flows +Authentication flows in Keycloak are marked as top-level if they are supposed to be available for binding or overrides. +Authentication flows that are not marked as top-level are used as sub-flows in other authentication flows. +The normalization process recognizes recursively whether there are authentication flows that are not top level and not used +by any top level flow, and does not include them in the final result. + +A warning message is logged, and you can use the following SQL query to find any authentication flows that are not referenced. +Note that this query, unlike keycloak-config-cli, is not recursive. +That means that after deleting an unused flow, additional unused flows may appear after the query is performed again. + +```sql +select flow.alias +from authentication_flow flow + join realm r on flow.realm_id = r.id + left join authentication_execution execution on flow.id = execution.auth_flow_id +where r.name = 'mytest' + and execution.id is null + and not flow.top_level +``` + +### Unused and duplicate Authenticator Configs +Authenticator Configs are not useful if they are not referenced by at least one authentication execution. +Therefore, keycloak-config-cli detects unused configurations and does not include them in the resulting output. +Note that the check for unused configs runs *after* the check for unused flows. +That means a config will be detected as unused if it is referenced by an execution that is part of a flow that is unused. + +A warning message is logged on duplicate or unused configs, and you can use the following SQL query to find any configs +that are unused: + +```sql +select ac.alias, ac.id +from authenticator_config ac + left join authentication_execution ae on ac.id = ae.auth_config + left join authentication_flow af on ae.flow_id = af.id + join realm r on ac.realm_id = r.id +where r.name = 'master' and af.alias is null +order by ac.alias +``` + +And the following query to find duplicates: + +```sql +select alias, count(alias), r.name as realm_name +from authenticator_config + join realm r on realm_id = r.id +group by alias, r.name +having count(alias) > 1 +``` + +If the `af.id` and `af.alias` fields are `null`, the config in question is not in use. +Note that configs used by unused flows are not marked as unused in the SQL result, as these need to be deleted first +to become unused. +After the unused flows (and executions) are deleted, the configs will be marked as unused and can also be deleted. + +### Authentication Executions with invalid subflows +Some keycloak exports have invalid authentication executions that reference a subflow, while also setting an authenticator. +This is only a valid configuration if the subflow's type is `form-flow`. +If it is not, then keycloak-config-cli will not import the configuration. +This will be marked by an ERROR severity message in the log output. +You can use this SQL query to find offending entries and remediate the configuration errors before continuing. + +```sql +select parent.alias, + subflow.alias, + execution.alias +from authentication_execution execution + join realm r on execution.realm_id = r.id + join authentication_flow parent on execution.flow_id = parent.id + join authentication_flow subflow on execution.auth_flow_id = subflow.id +where execution.auth_flow_id is not null + and execution.authenticator is not null + and subflow.provider_id <> 'form-flow' + and r.name = 'REALMNAME'; +``` diff --git a/pom.xml b/pom.xml index 8c84fb126..bf28a95b4 100644 --- a/pom.xml +++ b/pom.xml @@ -129,6 +129,30 @@ import pom + + + org.apache.commons + commons-text + ${commons-text.version} + + + + org.apache.commons + commons-lang3 + ${commons-lang3.version} + + + + net.jodah + failsafe + ${failsafe.version} + + + + org.javers + javers-core + 7.6.2 + @@ -170,12 +194,6 @@ jackson-datatype-jdk8 - - org.yaml - snakeyaml - ${snakeyaml.version} - - org.keycloak keycloak-admin-client @@ -209,6 +227,26 @@ ${failsafe.version} + + com.fasterxml.jackson.core + jackson-databind + + + + com.fasterxml.jackson.dataformat + jackson-dataformat-yaml + + + + org.javers + javers-core + + + + org.yaml + snakeyaml + + net.logstash.logback diff --git a/src/main/java/de/adorsys/keycloak/config/KeycloakConfigApplication.java b/src/main/java/de/adorsys/keycloak/config/KeycloakConfigApplication.java index 5fa682707..99746d177 100644 --- a/src/main/java/de/adorsys/keycloak/config/KeycloakConfigApplication.java +++ b/src/main/java/de/adorsys/keycloak/config/KeycloakConfigApplication.java @@ -20,14 +20,13 @@ package de.adorsys.keycloak.config; -import de.adorsys.keycloak.config.properties.ImportConfigProperties; -import de.adorsys.keycloak.config.properties.KeycloakConfigProperties; +import de.adorsys.keycloak.config.properties.RunConfigProperties; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.boot.context.properties.EnableConfigurationProperties; @SpringBootApplication(proxyBeanMethods = false) -@EnableConfigurationProperties({KeycloakConfigProperties.class, ImportConfigProperties.class}) +@EnableConfigurationProperties(RunConfigProperties.class) public class KeycloakConfigApplication { public static void main(String[] args) { // https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#boot-features-application-exit diff --git a/src/main/java/de/adorsys/keycloak/config/KeycloakConfigNormalizationRunner.java b/src/main/java/de/adorsys/keycloak/config/KeycloakConfigNormalizationRunner.java new file mode 100644 index 000000000..44b410b79 --- /dev/null +++ b/src/main/java/de/adorsys/keycloak/config/KeycloakConfigNormalizationRunner.java @@ -0,0 +1,126 @@ +/*- + * ---license-start + * keycloak-config-cli + * --- + * Copyright (C) 2017 - 2022 adorsys GmbH & Co. KG @ https://adorsys.com + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package de.adorsys.keycloak.config; + +import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.dataformat.yaml.YAMLMapper; +import de.adorsys.keycloak.config.properties.NormalizationConfigProperties; +import de.adorsys.keycloak.config.properties.NormalizationKeycloakConfigProperties; +import de.adorsys.keycloak.config.provider.KeycloakExportProvider; +import de.adorsys.keycloak.config.service.normalize.RealmNormalizationService; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.CommandLineRunner; +import org.springframework.boot.ExitCodeGenerator; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.boot.context.properties.EnableConfigurationProperties; +import org.springframework.stereotype.Component; + +import java.io.FileOutputStream; +import java.nio.file.Files; +import java.nio.file.Paths; +import java.text.SimpleDateFormat; +import java.util.Date; + +import static de.adorsys.keycloak.config.properties.NormalizationConfigProperties.OutputFormat.YAML; + +@Component +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "NORMALIZE") +@EnableConfigurationProperties({NormalizationConfigProperties.class, NormalizationKeycloakConfigProperties.class}) +public class KeycloakConfigNormalizationRunner implements CommandLineRunner, ExitCodeGenerator { + + private static final Logger logger = LoggerFactory.getLogger(KeycloakConfigNormalizationRunner.class); + private static final long START_TIME = System.currentTimeMillis(); + + private final RealmNormalizationService normalizationService; + private final KeycloakExportProvider exportProvider; + private final NormalizationConfigProperties normalizationConfigProperties; + private final YAMLMapper yamlMapper; + private final ObjectMapper objectMapper; + private int exitCode; + + @Autowired + public KeycloakConfigNormalizationRunner(RealmNormalizationService normalizationService, + KeycloakExportProvider exportProvider, + NormalizationConfigProperties normalizationConfigProperties, + YAMLMapper yamlMapper, + ObjectMapper objectMapper) { + this.normalizationService = normalizationService; + this.exportProvider = exportProvider; + this.normalizationConfigProperties = normalizationConfigProperties; + this.yamlMapper = yamlMapper; + this.objectMapper = objectMapper; + } + + @Override + public void run(String... args) throws Exception { + try { + var outputLocation = Paths.get(normalizationConfigProperties.getFiles().getOutputDirectory()); + if (!Files.exists(outputLocation)) { + logger.info("Creating output directory '{}'", outputLocation); + Files.createDirectories(outputLocation); + } + if (!Files.isDirectory(outputLocation)) { + logger.error("Output location '{}' is not a directory. Aborting", outputLocation); + exitCode = 1; + return; + } + + for (var exportLocations : exportProvider.readFromLocations().values()) { + for (var export : exportLocations.entrySet()) { + logger.info("Normalizing file '{}'", export.getKey()); + for (var realm : export.getValue()) { + var normalizedRealm = normalizationService.normalizeRealm(realm); + var suffix = normalizationConfigProperties.getOutputFormat() == YAML ? "yaml" : "json"; + var outputFile = outputLocation.resolve(String.format("%s.%s", normalizedRealm.getRealm(), suffix)); + try (var os = new FileOutputStream(outputFile.toFile())) { + if (normalizationConfigProperties.getOutputFormat() == YAML) { + yamlMapper.writeValue(os, normalizedRealm); + } else { + objectMapper.writeValue(os, normalizedRealm); + } + } + } + } + } + } catch (NullPointerException e) { + throw e; + } catch (Exception e) { + logger.error(e.getMessage()); + + exitCode = 1; + + if (logger.isDebugEnabled()) { + throw e; + } + } finally { + long totalTime = System.currentTimeMillis() - START_TIME; + String formattedTime = new SimpleDateFormat("mm:ss.SSS").format(new Date(totalTime)); + logger.info("keycloak-config-cli running in {}.", formattedTime); + } + } + + @Override + public int getExitCode() { + return exitCode; + } +} diff --git a/src/main/java/de/adorsys/keycloak/config/KeycloakConfigRunner.java b/src/main/java/de/adorsys/keycloak/config/KeycloakConfigRunner.java index d254adf54..a8fd41002 100644 --- a/src/main/java/de/adorsys/keycloak/config/KeycloakConfigRunner.java +++ b/src/main/java/de/adorsys/keycloak/config/KeycloakConfigRunner.java @@ -23,6 +23,7 @@ import de.adorsys.keycloak.config.model.KeycloakImport; import de.adorsys.keycloak.config.model.RealmImport; import de.adorsys.keycloak.config.properties.ImportConfigProperties; +import de.adorsys.keycloak.config.properties.KeycloakConfigProperties; import de.adorsys.keycloak.config.provider.KeycloakImportProvider; import de.adorsys.keycloak.config.service.RealmImportService; import org.slf4j.Logger; @@ -30,6 +31,8 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.CommandLineRunner; import org.springframework.boot.ExitCodeGenerator; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.boot.context.properties.EnableConfigurationProperties; import org.springframework.stereotype.Component; import java.text.SimpleDateFormat; @@ -39,6 +42,13 @@ import java.util.Map; @Component +/* + * Spring only considers actual properties set, not default values of @ConfigurationProperties classes. + * Therefore, we enable matchIfMissing here, so if there is *no* property set, we consider it an import + * for backwards compatibility + */ +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) +@EnableConfigurationProperties({ImportConfigProperties.class, KeycloakConfigProperties.class}) public class KeycloakConfigRunner implements CommandLineRunner, ExitCodeGenerator { private static final Logger logger = LoggerFactory.getLogger(KeycloakConfigRunner.class); private static final long START_TIME = System.currentTimeMillis(); diff --git a/src/main/java/de/adorsys/keycloak/config/configuration/NormalizationConfiguration.java b/src/main/java/de/adorsys/keycloak/config/configuration/NormalizationConfiguration.java new file mode 100644 index 000000000..21a43888a --- /dev/null +++ b/src/main/java/de/adorsys/keycloak/config/configuration/NormalizationConfiguration.java @@ -0,0 +1,137 @@ +/*- + * ---license-start + * keycloak-config-cli + * --- + * Copyright (C) 2017 - 2022 adorsys GmbH & Co. KG @ https://adorsys.com + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package de.adorsys.keycloak.config.configuration; + +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.databind.SerializationFeature; +import com.fasterxml.jackson.dataformat.yaml.YAMLGenerator; +import com.fasterxml.jackson.dataformat.yaml.YAMLMapper; +import org.javers.core.Javers; +import org.javers.core.JaversBuilder; +import org.javers.core.diff.ListCompareAlgorithm; +import org.javers.core.metamodel.clazz.EntityDefinition; +import org.javers.core.metamodel.clazz.EntityDefinitionBuilder; +import org.keycloak.representations.idm.AuthenticationFlowRepresentation; +import org.keycloak.representations.idm.ClientRepresentation; +import org.keycloak.representations.idm.ClientScopeRepresentation; +import org.keycloak.representations.idm.ComponentExportRepresentation; +import org.keycloak.representations.idm.GroupRepresentation; +import org.keycloak.representations.idm.IdentityProviderMapperRepresentation; +import org.keycloak.representations.idm.IdentityProviderRepresentation; +import org.keycloak.representations.idm.ProtocolMapperRepresentation; +import org.keycloak.representations.idm.RealmRepresentation; +import org.keycloak.representations.idm.RequiredActionProviderRepresentation; +import org.keycloak.representations.idm.RoleRepresentation; +import org.keycloak.representations.idm.UserFederationMapperRepresentation; +import org.keycloak.representations.idm.UserFederationProviderRepresentation; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; + +import java.util.ArrayList; +import java.util.List; + +@Configuration +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "NORMALIZE") +public class NormalizationConfiguration { + + @Bean + public Javers javers() { + return commonJavers() + .withListCompareAlgorithm(ListCompareAlgorithm.LEVENSHTEIN_DISTANCE) + .build(); + } + + @Bean + public Javers unOrderedJavers() { + return commonJavers() + .withListCompareAlgorithm(ListCompareAlgorithm.AS_SET) + .build(); + } + + @Bean + public YAMLMapper yamlMapper() { + var ym = new YAMLMapper(); + ym.setSerializationInclusion(JsonInclude.Include.NON_NULL); + ym.enable(SerializationFeature.INDENT_OUTPUT); + ym.enable(YAMLGenerator.Feature.INDENT_ARRAYS_WITH_INDICATOR); + return ym; + } + + @Bean + public ObjectMapper objectMapper() { + var om = new ObjectMapper(); + om.setSerializationInclusion(JsonInclude.Include.NON_NULL); + om.enable(SerializationFeature.INDENT_OUTPUT); + return om; + } + + private JaversBuilder commonJavers() { + var realmIgnoredProperties = new ArrayList(); + realmIgnoredProperties.add("id"); + realmIgnoredProperties.add("groups"); + realmIgnoredProperties.add("roles"); + realmIgnoredProperties.add("defaultRole"); + realmIgnoredProperties.add("clientProfiles"); // + realmIgnoredProperties.add("clientPolicies"); // + realmIgnoredProperties.add("users"); + realmIgnoredProperties.add("federatedUsers"); + realmIgnoredProperties.add("scopeMappings"); // + realmIgnoredProperties.add("clientScopeMappings"); // + realmIgnoredProperties.add("clients"); // + realmIgnoredProperties.add("clientScopes"); // + realmIgnoredProperties.add("userFederationProviders"); + realmIgnoredProperties.add("userFederationMappers"); + realmIgnoredProperties.add("identityProviders"); + realmIgnoredProperties.add("identityProviderMappers"); + realmIgnoredProperties.add("protocolMappers"); // + realmIgnoredProperties.add("components"); + realmIgnoredProperties.add("authenticationFlows"); + realmIgnoredProperties.add("authenticatorConfig"); + realmIgnoredProperties.add("requiredActions"); + realmIgnoredProperties.add("applicationScopeMappings"); + realmIgnoredProperties.add("applications"); + realmIgnoredProperties.add("oauthClients"); + realmIgnoredProperties.add("clientTemplates"); + realmIgnoredProperties.add("attributes"); + + return JaversBuilder.javers() + .registerEntity(new EntityDefinition(RealmRepresentation.class, "realm", realmIgnoredProperties)) + .registerEntity(new EntityDefinition(ClientRepresentation.class, "clientId", + List.of("id", "authorizationSettings", "protocolMappers"))) + .registerEntity(new EntityDefinition(ProtocolMapperRepresentation.class, "name", List.of("id"))) + .registerEntity(new EntityDefinition(ClientScopeRepresentation.class, "name", List.of("id", "protocolMappers"))) + .registerEntity(new EntityDefinition(RoleRepresentation.class, "name", List.of("id", "containerId", "composites", "attributes"))) + .registerEntity(new EntityDefinition(GroupRepresentation.class, "path", List.of("id", "subGroups", "attributes", "clientRoles"))) + .registerEntity(new EntityDefinition(AuthenticationFlowRepresentation.class, "alias", List.of("id", "authenticationExecutions"))) + .registerEntity(new EntityDefinition(IdentityProviderRepresentation.class, "alias", List.of("internalId"))) + .registerEntity(EntityDefinitionBuilder.entityDefinition(IdentityProviderMapperRepresentation.class) + .withIdPropertyNames("name", "identityProviderAlias") + .withIgnoredProperties("id").build()) + .registerEntity(new EntityDefinition(RequiredActionProviderRepresentation.class, "alias")) + .registerEntity(new EntityDefinition(UserFederationProviderRepresentation.class, "displayName", List.of("id"))) + .registerEntity(EntityDefinitionBuilder.entityDefinition(UserFederationMapperRepresentation.class) + .withIdPropertyNames("name", "federationProviderDisplayName") + .withIgnoredProperties("id").build()) + .registerEntity(new EntityDefinition(ComponentExportRepresentation.class, "name", List.of("id", "subComponents", "config"))); + } +} diff --git a/src/main/java/de/adorsys/keycloak/config/exception/NormalizationException.java b/src/main/java/de/adorsys/keycloak/config/exception/NormalizationException.java new file mode 100644 index 000000000..6261834b8 --- /dev/null +++ b/src/main/java/de/adorsys/keycloak/config/exception/NormalizationException.java @@ -0,0 +1,31 @@ +/*- + * ---license-start + * keycloak-config-cli + * --- + * Copyright (C) 2017 - 2022 adorsys GmbH & Co. KG @ https://adorsys.com + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package de.adorsys.keycloak.config.exception; + +public class NormalizationException extends RuntimeException { + public NormalizationException(String message, Throwable cause) { + super(message, cause); + } + + public NormalizationException(String message) { + super(message); + } +} diff --git a/src/main/java/de/adorsys/keycloak/config/factory/UsedAuthenticationFlowWorkaroundFactory.java b/src/main/java/de/adorsys/keycloak/config/factory/UsedAuthenticationFlowWorkaroundFactory.java index c1aa21641..083871587 100644 --- a/src/main/java/de/adorsys/keycloak/config/factory/UsedAuthenticationFlowWorkaroundFactory.java +++ b/src/main/java/de/adorsys/keycloak/config/factory/UsedAuthenticationFlowWorkaroundFactory.java @@ -34,11 +34,13 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.*; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class UsedAuthenticationFlowWorkaroundFactory { private final RealmRepository realmRepository; diff --git a/src/main/java/de/adorsys/keycloak/config/model/AuthenticationFlowImport.java b/src/main/java/de/adorsys/keycloak/config/model/AuthenticationFlowImport.java index 01c046ced..8eba514ba 100644 --- a/src/main/java/de/adorsys/keycloak/config/model/AuthenticationFlowImport.java +++ b/src/main/java/de/adorsys/keycloak/config/model/AuthenticationFlowImport.java @@ -23,6 +23,7 @@ import org.apache.commons.lang3.ObjectUtils; import org.keycloak.representations.idm.AuthenticationExecutionExportRepresentation; import org.keycloak.representations.idm.AuthenticationFlowRepresentation; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Component; import java.io.Serializable; @@ -34,6 +35,7 @@ */ @Component +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class AuthenticationFlowImport extends AuthenticationFlowRepresentation { private static final Comparator COMPARATOR = new AuthenticationExecutionExportRepresentationComparator(); diff --git a/src/main/java/de/adorsys/keycloak/config/model/RealmImport.java b/src/main/java/de/adorsys/keycloak/config/model/RealmImport.java index 33ac1e157..a6f86cc19 100644 --- a/src/main/java/de/adorsys/keycloak/config/model/RealmImport.java +++ b/src/main/java/de/adorsys/keycloak/config/model/RealmImport.java @@ -25,6 +25,7 @@ import org.keycloak.representations.idm.AuthenticationFlowRepresentation; import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.userprofile.config.UPConfig; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Component; import java.util.ArrayList; @@ -32,6 +33,7 @@ import java.util.Map; @Component +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class RealmImport extends RealmRepresentation { private List authenticationFlowImports; diff --git a/src/main/java/de/adorsys/keycloak/config/properties/ImportConfigProperties.java b/src/main/java/de/adorsys/keycloak/config/properties/ImportConfigProperties.java index a9ca479f1..3e84838ba 100644 --- a/src/main/java/de/adorsys/keycloak/config/properties/ImportConfigProperties.java +++ b/src/main/java/de/adorsys/keycloak/config/properties/ImportConfigProperties.java @@ -21,6 +21,7 @@ package de.adorsys.keycloak.config.properties; import org.springframework.boot.context.properties.ConfigurationProperties; +import org.springframework.boot.context.properties.bind.DefaultValue; import org.springframework.validation.annotation.Validated; import java.util.Collection; @@ -61,10 +62,14 @@ public class ImportConfigProperties { @Valid private final ImportRemoteStateProperties remoteState; - public ImportConfigProperties(boolean validate, boolean parallel, - ImportFilesProperties files, ImportVarSubstitutionProperties varSubstitution, - ImportBehaviorsProperties behaviors, ImportCacheProperties cache, ImportManagedProperties managed, - ImportRemoteStateProperties remoteState + public ImportConfigProperties(@DefaultValue("true") boolean validate, + @DefaultValue("false") boolean parallel, + @DefaultValue ImportFilesProperties files, + @DefaultValue ImportVarSubstitutionProperties varSubstitution, + @DefaultValue ImportBehaviorsProperties behaviors, + @DefaultValue ImportCacheProperties cache, + @DefaultValue ImportManagedProperties managed, + @DefaultValue ImportRemoteStateProperties remoteState ) { this.validate = validate; this.parallel = parallel; @@ -158,16 +163,22 @@ public static class ImportManagedProperties { @NotNull private final ImportManagedPropertiesValues messageBundles; - public ImportManagedProperties(ImportManagedPropertiesValues requiredAction, ImportManagedPropertiesValues group, - ImportManagedPropertiesValues clientScope, ImportManagedPropertiesValues scopeMapping, - ImportManagedPropertiesValues clientScopeMapping, ImportManagedPropertiesValues component, - ImportManagedPropertiesValues subComponent, ImportManagedPropertiesValues authenticationFlow, - ImportManagedPropertiesValues identityProvider, ImportManagedPropertiesValues identityProviderMapper, - ImportManagedPropertiesValues role, ImportManagedPropertiesValues client, - ImportManagedPropertiesValues clientAuthorizationResources, - ImportManagedPropertiesValues clientAuthorizationPolicies, - ImportManagedPropertiesValues clientAuthorizationScopes, - ImportManagedPropertiesValues messageBundles) { + public ImportManagedProperties(@DefaultValue("FULL") ImportManagedPropertiesValues requiredAction, + @DefaultValue("FULL") ImportManagedPropertiesValues group, + @DefaultValue("FULL") ImportManagedPropertiesValues clientScope, + @DefaultValue("FULL") ImportManagedPropertiesValues scopeMapping, + @DefaultValue("FULL") ImportManagedPropertiesValues clientScopeMapping, + @DefaultValue("FULL") ImportManagedPropertiesValues component, + @DefaultValue("FULL") ImportManagedPropertiesValues subComponent, + @DefaultValue("FULL") ImportManagedPropertiesValues authenticationFlow, + @DefaultValue("FULL") ImportManagedPropertiesValues identityProvider, + @DefaultValue("FULL") ImportManagedPropertiesValues identityProviderMapper, + @DefaultValue("FULL") ImportManagedPropertiesValues role, + @DefaultValue("FULL") ImportManagedPropertiesValues client, + @DefaultValue("FULL") ImportManagedPropertiesValues clientAuthorizationResources, + @DefaultValue("FULL") ImportManagedPropertiesValues clientAuthorizationPolicies, + @DefaultValue("FULL") ImportManagedPropertiesValues clientAuthorizationScopes, + @DefaultValue("FULL") ImportManagedPropertiesValues messageBundles) { this.requiredAction = requiredAction; this.group = group; this.clientScope = clientScope; @@ -266,7 +277,9 @@ public static class ImportFilesProperties { @NotNull private final boolean includeHiddenFiles; - public ImportFilesProperties(Collection locations, Collection excludes, boolean includeHiddenFiles) { + public ImportFilesProperties(Collection locations, + @DefaultValue Collection excludes, + @DefaultValue("false") boolean includeHiddenFiles) { this.locations = locations; this.excludes = excludes; this.includeHiddenFiles = includeHiddenFiles; @@ -302,7 +315,11 @@ public static class ImportVarSubstitutionProperties { @NotNull private final String suffix; - public ImportVarSubstitutionProperties(boolean enabled, boolean nested, boolean undefinedIsError, String prefix, String suffix) { + public ImportVarSubstitutionProperties(@DefaultValue("false") boolean enabled, + @DefaultValue("true") boolean nested, + @DefaultValue("true") boolean undefinedIsError, + @DefaultValue("$(") String prefix, + @DefaultValue(")") String suffix) { this.enabled = enabled; this.nested = nested; this.undefinedIsError = undefinedIsError; @@ -390,7 +407,8 @@ public static class ImportCacheProperties { @NotNull private final String key; - public ImportCacheProperties(boolean enabled, String key) { + public ImportCacheProperties(@DefaultValue("true") boolean enabled, + @DefaultValue("default") String key) { this.enabled = enabled; this.key = key; } @@ -414,7 +432,9 @@ public static class ImportRemoteStateProperties { @Pattern(regexp = "^[A-Fa-f0-9]+$") private final String encryptionSalt; - public ImportRemoteStateProperties(boolean enabled, String encryptionKey, String encryptionSalt) { + public ImportRemoteStateProperties(@DefaultValue("true") boolean enabled, + String encryptionKey, + @DefaultValue("2B521C795FBE2F2425DB150CD3700BA9") String encryptionSalt) { this.enabled = enabled; this.encryptionKey = encryptionKey; this.encryptionSalt = encryptionSalt; diff --git a/src/main/java/de/adorsys/keycloak/config/properties/KeycloakConfigProperties.java b/src/main/java/de/adorsys/keycloak/config/properties/KeycloakConfigProperties.java index 0dc8339de..a188db216 100644 --- a/src/main/java/de/adorsys/keycloak/config/properties/KeycloakConfigProperties.java +++ b/src/main/java/de/adorsys/keycloak/config/properties/KeycloakConfigProperties.java @@ -21,6 +21,7 @@ package de.adorsys.keycloak.config.properties; import org.springframework.boot.context.properties.ConfigurationProperties; +import org.springframework.boot.context.properties.bind.DefaultValue; import org.springframework.validation.annotation.Validated; import java.net.URL; @@ -69,19 +70,19 @@ public class KeycloakConfigProperties { private final KeycloakAvailabilityCheck availabilityCheck; public KeycloakConfigProperties( - String loginRealm, - String clientId, + @DefaultValue("master") String loginRealm, + @DefaultValue("admin-cli") String clientId, String version, String url, - String user, + @DefaultValue("admin") String user, String password, - String clientSecret, - String grantType, - boolean sslVerify, + @DefaultValue("") String clientSecret, + @DefaultValue("password") String grantType, + @DefaultValue("true") boolean sslVerify, URL httpProxy, - KeycloakAvailabilityCheck availabilityCheck, - Duration connectTimeout, - Duration readTimeout + @DefaultValue KeycloakAvailabilityCheck availabilityCheck, + @DefaultValue("10s") Duration connectTimeout, + @DefaultValue("10s") Duration readTimeout ) { this.loginRealm = loginRealm; this.clientId = clientId; @@ -161,7 +162,9 @@ public static class KeycloakAvailabilityCheck { private final Duration retryDelay; @SuppressWarnings("unused") - public KeycloakAvailabilityCheck(boolean enabled, Duration timeout, Duration retryDelay) { + public KeycloakAvailabilityCheck(@DefaultValue("false") boolean enabled, + @DefaultValue("120s") Duration timeout, + @DefaultValue("2s") Duration retryDelay) { this.enabled = enabled; this.timeout = timeout; this.retryDelay = retryDelay; diff --git a/src/main/java/de/adorsys/keycloak/config/properties/NormalizationConfigProperties.java b/src/main/java/de/adorsys/keycloak/config/properties/NormalizationConfigProperties.java new file mode 100644 index 000000000..07a898055 --- /dev/null +++ b/src/main/java/de/adorsys/keycloak/config/properties/NormalizationConfigProperties.java @@ -0,0 +1,107 @@ +/*- + * ---license-start + * keycloak-config-cli + * --- + * Copyright (C) 2017 - 2021 adorsys GmbH & Co. KG @ https://adorsys.com + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package de.adorsys.keycloak.config.properties; + +import org.springframework.boot.context.properties.ConfigurationProperties; +import org.springframework.boot.context.properties.bind.DefaultValue; +import org.springframework.validation.annotation.Validated; + +import java.util.Collection; + +import jakarta.validation.Valid; +import jakarta.validation.constraints.NotNull; + +@ConfigurationProperties(prefix = "normalization", ignoreUnknownFields = false) +@Validated +public class NormalizationConfigProperties { + + @Valid + private final NormalizationFilesProperties files; + + private final OutputFormat outputFormat; + + private final String fallbackVersion; + + public NormalizationConfigProperties(@DefaultValue NormalizationFilesProperties files, + @DefaultValue("yaml") OutputFormat outputFormat, + String fallbackVersion) { + this.files = files; + this.outputFormat = outputFormat; + this.fallbackVersion = fallbackVersion; + } + + public NormalizationFilesProperties getFiles() { + return files; + } + + public OutputFormat getOutputFormat() { + return outputFormat; + } + + public String getFallbackVersion() { + return fallbackVersion; + } + + public static class NormalizationFilesProperties { + + @NotNull + private final Collection inputLocations; + + @NotNull + private final Collection excludes; + + @NotNull + private final boolean includeHiddenFiles; + + @NotNull + private final String outputDirectory; + + public NormalizationFilesProperties(Collection inputLocations, + @DefaultValue Collection excludes, + @DefaultValue("false") boolean includeHiddenFiles, + String outputDirectory) { + this.inputLocations = inputLocations; + this.excludes = excludes; + this.includeHiddenFiles = includeHiddenFiles; + this.outputDirectory = outputDirectory; + } + + public Collection getInputLocations() { + return inputLocations; + } + + public Collection getExcludes() { + return excludes; + } + + public boolean isIncludeHiddenFiles() { + return includeHiddenFiles; + } + + public String getOutputDirectory() { + return outputDirectory; + } + } + + public enum OutputFormat { + JSON, YAML + } +} diff --git a/src/main/java/de/adorsys/keycloak/config/properties/NormalizationKeycloakConfigProperties.java b/src/main/java/de/adorsys/keycloak/config/properties/NormalizationKeycloakConfigProperties.java new file mode 100644 index 000000000..c11edb36e --- /dev/null +++ b/src/main/java/de/adorsys/keycloak/config/properties/NormalizationKeycloakConfigProperties.java @@ -0,0 +1,47 @@ +/*- + * ---license-start + * keycloak-config-cli + * --- + * Copyright (C) 2017 - 2021 adorsys GmbH & Co. KG @ https://adorsys.com + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package de.adorsys.keycloak.config.properties; + +import org.springframework.boot.context.properties.ConfigurationProperties; +import org.springframework.validation.annotation.Validated; + +import jakarta.validation.constraints.NotNull; + +/* + * Duplicated prefix keycloak. Since only one of the two classes is loaded (depending on configuration) this is fine. + * This saves us from having to define a keycloak address for the normalization usage, since we don't actually need to + * talk to a keycloak instance, and we only need to know the version. + */ +@ConfigurationProperties(prefix = "normalize", ignoreUnknownFields = false) +@Validated +public class NormalizationKeycloakConfigProperties { + + @NotNull + private final String version; + + public NormalizationKeycloakConfigProperties(String version) { + this.version = version; + } + + public String getVersion() { + return version; + } +} diff --git a/src/main/java/de/adorsys/keycloak/config/properties/RunConfigProperties.java b/src/main/java/de/adorsys/keycloak/config/properties/RunConfigProperties.java new file mode 100644 index 000000000..ede1713bb --- /dev/null +++ b/src/main/java/de/adorsys/keycloak/config/properties/RunConfigProperties.java @@ -0,0 +1,44 @@ +/*- + * ---license-start + * keycloak-config-cli + * --- + * Copyright (C) 2017 - 2022 adorsys GmbH & Co. KG @ https://adorsys.com + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package de.adorsys.keycloak.config.properties; + +import org.springframework.boot.context.properties.ConfigurationProperties; +import org.springframework.boot.context.properties.bind.DefaultValue; +import org.springframework.validation.annotation.Validated; + +@ConfigurationProperties(prefix = "run", ignoreUnknownFields = false) +@Validated +public class RunConfigProperties { + + private final Operation operation; + + public RunConfigProperties(@DefaultValue("IMPORT") Operation operation) { + this.operation = operation; + } + + public Operation getOperation() { + return operation; + } + + public enum Operation { + IMPORT, NORMALIZE + } +} diff --git a/src/main/java/de/adorsys/keycloak/config/provider/BaselineProvider.java b/src/main/java/de/adorsys/keycloak/config/provider/BaselineProvider.java new file mode 100644 index 000000000..f2722a904 --- /dev/null +++ b/src/main/java/de/adorsys/keycloak/config/provider/BaselineProvider.java @@ -0,0 +1,111 @@ +/*- + * ---license-start + * keycloak-config-cli + * --- + * Copyright (C) 2017 - 2022 adorsys GmbH & Co. KG @ https://adorsys.com + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package de.adorsys.keycloak.config.provider; + +import com.fasterxml.jackson.databind.ObjectMapper; +import de.adorsys.keycloak.config.exception.NormalizationException; +import de.adorsys.keycloak.config.properties.NormalizationConfigProperties; +import org.keycloak.representations.idm.ClientRepresentation; +import org.keycloak.representations.idm.RealmRepresentation; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.stereotype.Component; + +import java.io.IOException; +import java.io.InputStream; +import java.nio.charset.StandardCharsets; + +@Component +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "NORMALIZE") +public class BaselineProvider { + + private static final Logger logger = LoggerFactory.getLogger(BaselineProvider.class); + private static final String PLACEHOLDER = "REALM_NAME_PLACEHOLDER"; + + private final ObjectMapper objectMapper; + + private final String fallbackVersion; + + @Autowired + public BaselineProvider(ObjectMapper objectMapper, NormalizationConfigProperties normalizationConfigProperties) { + this.objectMapper = objectMapper; + this.fallbackVersion = normalizationConfigProperties.getFallbackVersion(); + } + + public RealmRepresentation getRealm(String version, String realmName) { + try (var inputStream = getRealmInputStream(version)) { + /* + * Replace the placeholder with the realm name to import. This sets some internal values like role names, + * baseUrls and redirectUrls so that they don't get picked up as "changes" + */ + var realmString = new String(inputStream.readAllBytes(), StandardCharsets.UTF_8).replace(PLACEHOLDER, realmName); + return objectMapper.readValue(realmString, RealmRepresentation.class); + } catch (IOException ex) { + throw new NormalizationException(String.format("Failed to load baseline realm for version %s", version), ex); + } + } + + public ClientRepresentation getClient(String version, String clientId) { + try (var is = getClientInputStream(version)) { + var client = objectMapper.readValue(is, ClientRepresentation.class); + client.setClientId(clientId); + return client; + } catch (IOException ex) { + throw new NormalizationException(String.format("Failed to load baseline client for version %s", version), ex); + } + } + + public InputStream getRealmInputStream(String version) { + var inputStream = getClass().getResourceAsStream(String.format("/baseline/%s/realm/realm.json", version)); + if (inputStream == null) { + if (fallbackVersion != null) { + logger.warn("Reference realm not found for version {}. Using fallback version {}!", version, fallbackVersion); + inputStream = getClass().getResourceAsStream(String.format("/baseline/%s/realm/realm.json", fallbackVersion)); + if (inputStream == null) { + throw new NormalizationException(String.format("Reference realm for version %s does not exist, " + + "and fallback version %s does not exist either. Aborting!", version, fallbackVersion)); + } + } else { + throw new NormalizationException(String.format("Reference realm for version %s does not exist. Aborting!", version)); + } + } + return inputStream; + } + + public InputStream getClientInputStream(String version) { + var inputStream = getClass().getResourceAsStream(String.format("/baseline/%s/client/client.json", version)); + if (inputStream == null) { + if (fallbackVersion != null) { + logger.debug("Reference client not found for version {}. Using fallback version {}!", version, fallbackVersion); + inputStream = getClass().getResourceAsStream(String.format("/baseline/%s/client/client.json", fallbackVersion)); + if (inputStream == null) { + throw new NormalizationException(String.format("Reference client for version %s does not exist, " + + "and fallback version %s does not exist either. Aborting!", version, fallbackVersion)); + } + } else { + throw new NormalizationException(String.format("Reference client for version %s does not exist. Aborting!", version)); + } + } + return inputStream; + } +} diff --git a/src/main/java/de/adorsys/keycloak/config/provider/KeycloakExportProvider.java b/src/main/java/de/adorsys/keycloak/config/provider/KeycloakExportProvider.java new file mode 100644 index 000000000..c64c00a2e --- /dev/null +++ b/src/main/java/de/adorsys/keycloak/config/provider/KeycloakExportProvider.java @@ -0,0 +1,232 @@ +/*- + * ---license-start + * keycloak-config-cli + * --- + * Copyright (C) 2017 - 2021 adorsys GmbH & Co. KG @ https://adorsys.com + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package de.adorsys.keycloak.config.provider; + +import com.fasterxml.jackson.databind.DeserializationFeature; +import com.fasterxml.jackson.databind.ObjectMapper; +import de.adorsys.keycloak.config.exception.InvalidImportException; +import de.adorsys.keycloak.config.model.ImportResource; +import de.adorsys.keycloak.config.properties.NormalizationConfigProperties; +import org.apache.commons.lang3.tuple.ImmutablePair; +import org.apache.commons.lang3.tuple.Pair; +import org.keycloak.representations.idm.RealmRepresentation; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.core.io.Resource; +import org.springframework.core.io.UrlResource; +import org.springframework.core.io.support.PathMatchingResourcePatternResolver; +import org.springframework.stereotype.Component; +import org.springframework.util.PathMatcher; +import org.yaml.snakeyaml.Yaml; + +import java.io.File; +import java.io.IOException; +import java.io.InputStream; +import java.net.Authenticator; +import java.net.PasswordAuthentication; +import java.nio.charset.StandardCharsets; +import java.util.*; +import java.util.stream.Collectors; + +/* + * This class heavily copy pastes code from KeycloakImportProvider. This can probably be reduced quite a bit by moving some code out to a shared class + */ +@Component +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "NORMALIZE") +public class KeycloakExportProvider { + + private static final Logger logger = LoggerFactory.getLogger(KeycloakExportProvider.class); + + private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper() + .enable(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES); + + private final PathMatchingResourcePatternResolver patternResolver; + + private final NormalizationConfigProperties normalizationConfigProperties; + + @Autowired + public KeycloakExportProvider(PathMatchingResourcePatternResolver patternResolver, + NormalizationConfigProperties normalizationConfigProperties) { + this.patternResolver = patternResolver; + this.normalizationConfigProperties = normalizationConfigProperties; + } + + public Map>> readFromLocations() { + Map>> files = new LinkedHashMap<>(); + + for (String location : normalizationConfigProperties.getFiles().getInputLocations()) { + logger.debug("Loading file location '{}'", location); + String resourceLocation = prepareResourceLocation(location); + + Resource[] resources; + try { + resources = this.patternResolver.getResources(resourceLocation); + } catch (IOException e) { + throw new InvalidImportException("Unable to proceed location '" + location + "': " + e.getMessage(), e); + } + + resources = Arrays.stream(resources).filter(this::filterExcludedResources).toArray(Resource[]::new); + + if (resources.length == 0) { + throw new InvalidImportException("No files matching '" + location + "'!"); + } + + Map> exports = Arrays.stream(resources) + .map(this::readResource) + .filter(this::filterEmptyResources) + .sorted(Map.Entry.comparingByKey()) + .map(this::readRealms) + .collect(Collectors.toMap(Map.Entry::getKey, Map.Entry::getValue, + (oldValue, newValue) -> oldValue, LinkedHashMap::new)); + files.put(location, exports); + } + return files; + } + + private Pair> readRealms(ImportResource resource) { + String location = resource.getFilename(); + String content = resource.getValue(); + + if (logger.isTraceEnabled()) { + logger.trace(content); + } + + List realms; + try { + realms = readContent(content); + } catch (Exception e) { + throw new InvalidImportException("Unable to parse file '" + location + "': " + e.getMessage(), e); + } + return new ImmutablePair<>(location, realms); + } + + private List readContent(String content) { + List realms = new ArrayList<>(); + + Yaml yaml = new Yaml(); + Iterable yamlDocuments = yaml.loadAll(content); + + for (Object yamlDocument : yamlDocuments) { + realms.add(OBJECT_MAPPER.convertValue(yamlDocument, RealmRepresentation.class)); + } + return realms; + } + + private String prepareResourceLocation(String location) { + String importLocation = location; + + importLocation = importLocation.replaceFirst("^zip:", "jar:"); + + // backward compatibility to correct a possible missing prefix "file:" in path + if (!importLocation.contains(":")) { + importLocation = "file:" + importLocation; + } + return importLocation; + } + + private boolean filterExcludedResources(Resource resource) { + if (!resource.isFile()) { + return true; + } + + File file; + + try { + file = resource.getFile(); + } catch (IOException ignored) { + return true; + } + + if (file.isDirectory()) { + return false; + } + + if (!this.normalizationConfigProperties.getFiles().isIncludeHiddenFiles() + && (file.isHidden() || FileUtils.hasHiddenAncestorDirectory(file))) { + return false; + } + + PathMatcher pathMatcher = patternResolver.getPathMatcher(); + return normalizationConfigProperties.getFiles().getExcludes() + .stream() + .map(pattern -> pattern.startsWith("**") ? "/" + pattern : pattern) + .map(pattern -> !pattern.startsWith("/**") ? "/**" + pattern : pattern) + .map(pattern -> !pattern.startsWith("/") ? "/" + pattern : pattern) + .noneMatch(pattern -> { + boolean match = pathMatcher.match(pattern, file.getPath()); + if (match) { + logger.debug("Excluding resource file '{}' (match {})", file.getPath(), pattern); + return true; + } + return false; + }); + } + + private ImportResource readResource(Resource resource) { + logger.debug("Loading file '{}'", resource.getFilename()); + + try { + resource = setupAuthentication(resource); + try (InputStream inputStream = resource.getInputStream()) { + return new ImportResource(resource.getURI().toString(), new String(inputStream.readAllBytes(), StandardCharsets.UTF_8)); + } + } catch (IOException e) { + throw new InvalidImportException("Unable to proceed resource '" + resource + "': " + e.getMessage(), e); + } finally { + Authenticator.setDefault(null); + } + } + + private Resource setupAuthentication(Resource resource) throws IOException { + String userInfo; + + try { + userInfo = resource.getURL().getUserInfo(); + } catch (IOException e) { + return resource; + } + + if (userInfo == null) return resource; + + String[] userInfoSplit = userInfo.split(":"); + + if (userInfoSplit.length != 2) return resource; + + Authenticator.setDefault(new Authenticator() { + @Override + protected PasswordAuthentication getPasswordAuthentication() { + return new PasswordAuthentication(userInfoSplit[0], userInfoSplit[1].toCharArray()); + } + }); + + // Mask AuthInfo + String location = resource.getURI().toString().replace(userInfo + "@", "***@"); + return new UrlResource(location); + } + + private boolean filterEmptyResources(ImportResource resource) { + return !resource.getValue().isEmpty(); + } + + +} diff --git a/src/main/java/de/adorsys/keycloak/config/provider/KeycloakImportProvider.java b/src/main/java/de/adorsys/keycloak/config/provider/KeycloakImportProvider.java index 13506aefa..f8c025ed0 100644 --- a/src/main/java/de/adorsys/keycloak/config/provider/KeycloakImportProvider.java +++ b/src/main/java/de/adorsys/keycloak/config/provider/KeycloakImportProvider.java @@ -36,6 +36,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.core.env.Environment; import org.springframework.core.io.Resource; import org.springframework.core.io.UrlResource; @@ -54,6 +55,7 @@ import java.util.stream.Collectors; @Component +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class KeycloakImportProvider { private final PathMatchingResourcePatternResolver patternResolver; private final ImportConfigProperties importConfigProperties; diff --git a/src/main/java/de/adorsys/keycloak/config/provider/KeycloakProvider.java b/src/main/java/de/adorsys/keycloak/config/provider/KeycloakProvider.java index 20be19461..e76f5e59f 100644 --- a/src/main/java/de/adorsys/keycloak/config/provider/KeycloakProvider.java +++ b/src/main/java/de/adorsys/keycloak/config/provider/KeycloakProvider.java @@ -33,6 +33,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Component; import java.net.URI; @@ -51,6 +52,7 @@ * to avoid a deadlock. */ @Component +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class KeycloakProvider implements AutoCloseable { private static final Logger logger = LoggerFactory.getLogger(KeycloakProvider.class); diff --git a/src/main/java/de/adorsys/keycloak/config/repository/AuthenticationFlowRepository.java b/src/main/java/de/adorsys/keycloak/config/repository/AuthenticationFlowRepository.java index 959f68d12..69989a2ec 100644 --- a/src/main/java/de/adorsys/keycloak/config/repository/AuthenticationFlowRepository.java +++ b/src/main/java/de/adorsys/keycloak/config/repository/AuthenticationFlowRepository.java @@ -32,6 +32,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import org.springframework.util.Assert; @@ -45,6 +46,7 @@ import jakarta.ws.rs.core.Response; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class AuthenticationFlowRepository { private static final Logger logger = LoggerFactory.getLogger(AuthenticationFlowRepository.class); diff --git a/src/main/java/de/adorsys/keycloak/config/repository/AuthenticatorConfigRepository.java b/src/main/java/de/adorsys/keycloak/config/repository/AuthenticatorConfigRepository.java index 10107cbc4..b9849fb46 100644 --- a/src/main/java/de/adorsys/keycloak/config/repository/AuthenticatorConfigRepository.java +++ b/src/main/java/de/adorsys/keycloak/config/repository/AuthenticatorConfigRepository.java @@ -24,12 +24,14 @@ import org.keycloak.representations.idm.AuthenticatorConfigRepresentation; import org.keycloak.representations.idm.RealmRepresentation; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.List; import java.util.Objects; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class AuthenticatorConfigRepository { private final AuthenticationFlowRepository authenticationFlowRepository; private final RealmRepository realmRepository; diff --git a/src/main/java/de/adorsys/keycloak/config/repository/ClientPoliciesRepository.java b/src/main/java/de/adorsys/keycloak/config/repository/ClientPoliciesRepository.java index 5fe290ecd..551323d13 100644 --- a/src/main/java/de/adorsys/keycloak/config/repository/ClientPoliciesRepository.java +++ b/src/main/java/de/adorsys/keycloak/config/repository/ClientPoliciesRepository.java @@ -28,9 +28,11 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Component; @Component +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class ClientPoliciesRepository { private static final Logger logger = LoggerFactory.getLogger(ClientPoliciesRepository.class); diff --git a/src/main/java/de/adorsys/keycloak/config/repository/ClientRepository.java b/src/main/java/de/adorsys/keycloak/config/repository/ClientRepository.java index 8b89e4a47..e4a159009 100644 --- a/src/main/java/de/adorsys/keycloak/config/repository/ClientRepository.java +++ b/src/main/java/de/adorsys/keycloak/config/repository/ClientRepository.java @@ -35,6 +35,7 @@ import org.keycloak.representations.idm.authorization.ResourceServerRepresentation; import org.keycloak.representations.idm.authorization.ScopeRepresentation; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.List; @@ -47,6 +48,7 @@ import jakarta.ws.rs.core.Response; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class ClientRepository { private final RealmRepository realmRepository; diff --git a/src/main/java/de/adorsys/keycloak/config/repository/ClientScopeRepository.java b/src/main/java/de/adorsys/keycloak/config/repository/ClientScopeRepository.java index a5a8bdaa1..239daa9eb 100644 --- a/src/main/java/de/adorsys/keycloak/config/repository/ClientScopeRepository.java +++ b/src/main/java/de/adorsys/keycloak/config/repository/ClientScopeRepository.java @@ -29,6 +29,7 @@ import org.keycloak.representations.idm.ClientScopeRepresentation; import org.keycloak.representations.idm.ProtocolMapperRepresentation; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.ArrayList; @@ -40,6 +41,7 @@ import jakarta.ws.rs.core.Response; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class ClientScopeRepository { private final RealmRepository realmRepository; diff --git a/src/main/java/de/adorsys/keycloak/config/repository/ComponentRepository.java b/src/main/java/de/adorsys/keycloak/config/repository/ComponentRepository.java index 388f05073..0ee803767 100644 --- a/src/main/java/de/adorsys/keycloak/config/repository/ComponentRepository.java +++ b/src/main/java/de/adorsys/keycloak/config/repository/ComponentRepository.java @@ -28,6 +28,7 @@ import org.keycloak.admin.client.resource.RealmResource; import org.keycloak.representations.idm.ComponentRepresentation; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.Collections; @@ -39,6 +40,7 @@ import jakarta.ws.rs.core.Response; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class ComponentRepository { private final RealmRepository realmRepository; diff --git a/src/main/java/de/adorsys/keycloak/config/repository/ExecutionFlowRepository.java b/src/main/java/de/adorsys/keycloak/config/repository/ExecutionFlowRepository.java index a806e06a3..8aae2acd1 100644 --- a/src/main/java/de/adorsys/keycloak/config/repository/ExecutionFlowRepository.java +++ b/src/main/java/de/adorsys/keycloak/config/repository/ExecutionFlowRepository.java @@ -31,6 +31,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.HashMap; @@ -42,6 +43,7 @@ import jakarta.ws.rs.core.Response; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class ExecutionFlowRepository { private static final Logger logger = LoggerFactory.getLogger(ExecutionFlowRepository.class); diff --git a/src/main/java/de/adorsys/keycloak/config/repository/GroupRepository.java b/src/main/java/de/adorsys/keycloak/config/repository/GroupRepository.java index ad3227c35..662a196f4 100644 --- a/src/main/java/de/adorsys/keycloak/config/repository/GroupRepository.java +++ b/src/main/java/de/adorsys/keycloak/config/repository/GroupRepository.java @@ -32,6 +32,7 @@ import org.keycloak.representations.idm.ManagementPermissionRepresentation; import org.keycloak.representations.idm.RoleRepresentation; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.ArrayList; @@ -42,6 +43,7 @@ import jakarta.ws.rs.core.Response; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class GroupRepository { private final RealmRepository realmRepository; diff --git a/src/main/java/de/adorsys/keycloak/config/repository/IdentityProviderMapperRepository.java b/src/main/java/de/adorsys/keycloak/config/repository/IdentityProviderMapperRepository.java index 84563091b..7d557a464 100644 --- a/src/main/java/de/adorsys/keycloak/config/repository/IdentityProviderMapperRepository.java +++ b/src/main/java/de/adorsys/keycloak/config/repository/IdentityProviderMapperRepository.java @@ -26,6 +26,7 @@ import org.keycloak.representations.idm.IdentityProviderMapperRepresentation; import org.keycloak.representations.idm.IdentityProviderRepresentation; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.ArrayList; @@ -36,6 +37,7 @@ import jakarta.ws.rs.core.Response; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class IdentityProviderMapperRepository { private final RealmRepository realmRepository; diff --git a/src/main/java/de/adorsys/keycloak/config/repository/IdentityProviderRepository.java b/src/main/java/de/adorsys/keycloak/config/repository/IdentityProviderRepository.java index 14c89315c..f5cd3fcba 100644 --- a/src/main/java/de/adorsys/keycloak/config/repository/IdentityProviderRepository.java +++ b/src/main/java/de/adorsys/keycloak/config/repository/IdentityProviderRepository.java @@ -28,6 +28,7 @@ import org.keycloak.representations.idm.IdentityProviderRepresentation; import org.keycloak.representations.idm.ManagementPermissionRepresentation; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.List; @@ -37,6 +38,7 @@ import jakarta.ws.rs.core.Response; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class IdentityProviderRepository { private final RealmRepository realmRepository; diff --git a/src/main/java/de/adorsys/keycloak/config/repository/RealmRepository.java b/src/main/java/de/adorsys/keycloak/config/repository/RealmRepository.java index 8a6d44c48..4e2d94220 100644 --- a/src/main/java/de/adorsys/keycloak/config/repository/RealmRepository.java +++ b/src/main/java/de/adorsys/keycloak/config/repository/RealmRepository.java @@ -28,12 +28,16 @@ import org.keycloak.admin.client.resource.RealmsResource; import org.keycloak.representations.idm.RealmRepresentation; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; +import java.util.List; + import jakarta.ws.rs.NotFoundException; import jakarta.ws.rs.WebApplicationException; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class RealmRepository { private final KeycloakProvider keycloakProvider; @@ -106,4 +110,8 @@ public void removeDefaultDefaultClientScope(String realmName, String scopeId) { public void removeDefaultOptionalClientScope(String realmName, String scopeId) { getResource(realmName).removeDefaultOptionalClientScope(scopeId); } + + public List getRealms() { + return keycloakProvider.getInstance().realms().findAll(); + } } diff --git a/src/main/java/de/adorsys/keycloak/config/repository/RequiredActionRepository.java b/src/main/java/de/adorsys/keycloak/config/repository/RequiredActionRepository.java index b6d91be12..d3801dd47 100644 --- a/src/main/java/de/adorsys/keycloak/config/repository/RequiredActionRepository.java +++ b/src/main/java/de/adorsys/keycloak/config/repository/RequiredActionRepository.java @@ -25,6 +25,7 @@ import org.keycloak.representations.idm.RequiredActionProviderRepresentation; import org.keycloak.representations.idm.RequiredActionProviderSimpleRepresentation; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.List; @@ -36,6 +37,7 @@ * Provides methods to retrieve and store required-actions in your realm */ @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class RequiredActionRepository { private final AuthenticationFlowRepository authenticationFlowRepository; diff --git a/src/main/java/de/adorsys/keycloak/config/repository/RoleCompositeRepository.java b/src/main/java/de/adorsys/keycloak/config/repository/RoleCompositeRepository.java index 6eee79b85..7c831c33c 100644 --- a/src/main/java/de/adorsys/keycloak/config/repository/RoleCompositeRepository.java +++ b/src/main/java/de/adorsys/keycloak/config/repository/RoleCompositeRepository.java @@ -26,6 +26,7 @@ import org.keycloak.representations.idm.ClientRepresentation; import org.keycloak.representations.idm.RoleRepresentation; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.*; @@ -33,6 +34,7 @@ import java.util.stream.Collectors; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class RoleCompositeRepository { private final RoleRepository roleRepository; diff --git a/src/main/java/de/adorsys/keycloak/config/repository/RoleRepository.java b/src/main/java/de/adorsys/keycloak/config/repository/RoleRepository.java index b72397dab..43439ccbf 100644 --- a/src/main/java/de/adorsys/keycloak/config/repository/RoleRepository.java +++ b/src/main/java/de/adorsys/keycloak/config/repository/RoleRepository.java @@ -27,6 +27,7 @@ import org.keycloak.admin.client.resource.*; import org.keycloak.representations.idm.*; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.lang.Nullable; import org.springframework.stereotype.Service; @@ -36,6 +37,7 @@ import jakarta.ws.rs.NotFoundException; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class RoleRepository { private final RealmRepository realmRepository; private final ClientRepository clientRepository; diff --git a/src/main/java/de/adorsys/keycloak/config/repository/ScopeMappingRepository.java b/src/main/java/de/adorsys/keycloak/config/repository/ScopeMappingRepository.java index 7578129ab..0ae7a37a7 100644 --- a/src/main/java/de/adorsys/keycloak/config/repository/ScopeMappingRepository.java +++ b/src/main/java/de/adorsys/keycloak/config/repository/ScopeMappingRepository.java @@ -26,6 +26,7 @@ import org.keycloak.representations.idm.RoleRepresentation; import org.keycloak.representations.idm.ScopeMappingRepresentation; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.Collection; @@ -33,6 +34,7 @@ import java.util.Objects; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class ScopeMappingRepository { private final RealmRepository realmRepository; diff --git a/src/main/java/de/adorsys/keycloak/config/repository/StateRepository.java b/src/main/java/de/adorsys/keycloak/config/repository/StateRepository.java index 212ab611f..38679f63f 100644 --- a/src/main/java/de/adorsys/keycloak/config/repository/StateRepository.java +++ b/src/main/java/de/adorsys/keycloak/config/repository/StateRepository.java @@ -24,6 +24,7 @@ import de.adorsys.keycloak.config.properties.ImportConfigProperties; import de.adorsys.keycloak.config.util.CryptoUtil; import org.keycloak.representations.idm.RealmRepresentation; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Component; import java.text.MessageFormat; @@ -36,6 +37,7 @@ import static de.adorsys.keycloak.config.util.JsonUtil.toJson; @Component +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class StateRepository { private static final int MAX_ATTRIBUTE_LENGTH = 250; diff --git a/src/main/java/de/adorsys/keycloak/config/repository/UserProfileRepository.java b/src/main/java/de/adorsys/keycloak/config/repository/UserProfileRepository.java index ceee55568..3d4af81a1 100644 --- a/src/main/java/de/adorsys/keycloak/config/repository/UserProfileRepository.java +++ b/src/main/java/de/adorsys/keycloak/config/repository/UserProfileRepository.java @@ -27,10 +27,12 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Component; import org.springframework.util.StringUtils; @Component +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class UserProfileRepository { private static final Logger logger = LoggerFactory.getLogger(UserProfileRepository.class); diff --git a/src/main/java/de/adorsys/keycloak/config/repository/UserRepository.java b/src/main/java/de/adorsys/keycloak/config/repository/UserRepository.java index e6ba35d2a..640ece584 100644 --- a/src/main/java/de/adorsys/keycloak/config/repository/UserRepository.java +++ b/src/main/java/de/adorsys/keycloak/config/repository/UserRepository.java @@ -28,6 +28,7 @@ import org.keycloak.representations.idm.GroupRepresentation; import org.keycloak.representations.idm.UserRepresentation; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.List; @@ -36,6 +37,7 @@ import jakarta.ws.rs.core.Response; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class UserRepository { private final RealmRepository realmRepository; diff --git a/src/main/java/de/adorsys/keycloak/config/service/AuthenticationFlowsImportService.java b/src/main/java/de/adorsys/keycloak/config/service/AuthenticationFlowsImportService.java index 9de2e9cef..a47fa2037 100644 --- a/src/main/java/de/adorsys/keycloak/config/service/AuthenticationFlowsImportService.java +++ b/src/main/java/de/adorsys/keycloak/config/service/AuthenticationFlowsImportService.java @@ -35,6 +35,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.ArrayList; @@ -53,6 +54,7 @@ * sub-flow: any flow which has the property 'topLevel' set to 'false' and which are related to execution-flows within topLevel-flows */ @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class AuthenticationFlowsImportService { private static final Logger logger = LoggerFactory.getLogger(AuthenticationFlowsImportService.class); diff --git a/src/main/java/de/adorsys/keycloak/config/service/AuthenticatorConfigImportService.java b/src/main/java/de/adorsys/keycloak/config/service/AuthenticatorConfigImportService.java index c4a6aa4e5..dc60cba1e 100644 --- a/src/main/java/de/adorsys/keycloak/config/service/AuthenticatorConfigImportService.java +++ b/src/main/java/de/adorsys/keycloak/config/service/AuthenticatorConfigImportService.java @@ -29,6 +29,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.ArrayList; @@ -39,6 +40,7 @@ import java.util.stream.Stream; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class AuthenticatorConfigImportService { private static final Logger logger = LoggerFactory.getLogger(AuthenticatorConfigImportService.class); diff --git a/src/main/java/de/adorsys/keycloak/config/service/ClientAuthorizationImportService.java b/src/main/java/de/adorsys/keycloak/config/service/ClientAuthorizationImportService.java index 5532832f3..b3ab46000 100644 --- a/src/main/java/de/adorsys/keycloak/config/service/ClientAuthorizationImportService.java +++ b/src/main/java/de/adorsys/keycloak/config/service/ClientAuthorizationImportService.java @@ -45,6 +45,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.HashMap; @@ -60,6 +61,7 @@ @Service @SuppressWarnings({"java:S1192"}) +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class ClientAuthorizationImportService { private static final Logger logger = LoggerFactory.getLogger(ClientAuthorizationImportService.class); diff --git a/src/main/java/de/adorsys/keycloak/config/service/ClientImportService.java b/src/main/java/de/adorsys/keycloak/config/service/ClientImportService.java index 92b0b26f8..ae59dfcdd 100644 --- a/src/main/java/de/adorsys/keycloak/config/service/ClientImportService.java +++ b/src/main/java/de/adorsys/keycloak/config/service/ClientImportService.java @@ -39,6 +39,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.*; @@ -52,6 +53,7 @@ @Service @SuppressWarnings({"java:S1192"}) +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class ClientImportService { private static final Logger logger = LoggerFactory.getLogger(ClientImportService.class); diff --git a/src/main/java/de/adorsys/keycloak/config/service/ClientPoliciesImportService.java b/src/main/java/de/adorsys/keycloak/config/service/ClientPoliciesImportService.java index 6522bc24a..337f5089e 100644 --- a/src/main/java/de/adorsys/keycloak/config/service/ClientPoliciesImportService.java +++ b/src/main/java/de/adorsys/keycloak/config/service/ClientPoliciesImportService.java @@ -29,9 +29,11 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class ClientPoliciesImportService { private static final Logger logger = LoggerFactory.getLogger(ClientPoliciesImportService.class); diff --git a/src/main/java/de/adorsys/keycloak/config/service/ClientScopeImportService.java b/src/main/java/de/adorsys/keycloak/config/service/ClientScopeImportService.java index d242a73da..b93ea5b6d 100644 --- a/src/main/java/de/adorsys/keycloak/config/service/ClientScopeImportService.java +++ b/src/main/java/de/adorsys/keycloak/config/service/ClientScopeImportService.java @@ -32,6 +32,7 @@ import org.keycloak.representations.idm.RealmRepresentation; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.List; @@ -40,6 +41,7 @@ import java.util.function.Consumer; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class ClientScopeImportService { private static final Logger logger = LoggerFactory.getLogger(ClientScopeImportService.class); diff --git a/src/main/java/de/adorsys/keycloak/config/service/ClientScopeMappingImportService.java b/src/main/java/de/adorsys/keycloak/config/service/ClientScopeMappingImportService.java index 73eea8a76..305bb3aa9 100644 --- a/src/main/java/de/adorsys/keycloak/config/service/ClientScopeMappingImportService.java +++ b/src/main/java/de/adorsys/keycloak/config/service/ClientScopeMappingImportService.java @@ -32,6 +32,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.ArrayList; @@ -41,6 +42,7 @@ import java.util.function.Predicate; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class ClientScopeMappingImportService { private static final Logger logger = LoggerFactory.getLogger(ClientScopeMappingImportService.class); diff --git a/src/main/java/de/adorsys/keycloak/config/service/ComponentImportService.java b/src/main/java/de/adorsys/keycloak/config/service/ComponentImportService.java index 586283ab2..0d8bd3042 100644 --- a/src/main/java/de/adorsys/keycloak/config/service/ComponentImportService.java +++ b/src/main/java/de/adorsys/keycloak/config/service/ComponentImportService.java @@ -34,11 +34,13 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.*; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class ComponentImportService { private static final Logger logger = LoggerFactory.getLogger(ComponentImportService.class); diff --git a/src/main/java/de/adorsys/keycloak/config/service/DefaultGroupsImportService.java b/src/main/java/de/adorsys/keycloak/config/service/DefaultGroupsImportService.java index e10f91849..3c9aedce2 100644 --- a/src/main/java/de/adorsys/keycloak/config/service/DefaultGroupsImportService.java +++ b/src/main/java/de/adorsys/keycloak/config/service/DefaultGroupsImportService.java @@ -26,6 +26,7 @@ import de.adorsys.keycloak.config.repository.RealmRepository; import org.keycloak.admin.client.resource.RealmResource; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.List; @@ -33,6 +34,7 @@ import jakarta.ws.rs.NotFoundException; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class DefaultGroupsImportService { private final RealmRepository realmRepository; private final GroupRepository groupRepository; diff --git a/src/main/java/de/adorsys/keycloak/config/service/ExecutionFlowsImportService.java b/src/main/java/de/adorsys/keycloak/config/service/ExecutionFlowsImportService.java index de40b5cd6..59c1d1f9b 100644 --- a/src/main/java/de/adorsys/keycloak/config/service/ExecutionFlowsImportService.java +++ b/src/main/java/de/adorsys/keycloak/config/service/ExecutionFlowsImportService.java @@ -31,6 +31,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.HashMap; @@ -44,6 +45,7 @@ * Imports executions and execution-flows of existing top-level flows */ @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class ExecutionFlowsImportService { private static final Logger logger = LoggerFactory.getLogger(ExecutionFlowsImportService.class); diff --git a/src/main/java/de/adorsys/keycloak/config/service/GroupImportService.java b/src/main/java/de/adorsys/keycloak/config/service/GroupImportService.java index e40637026..013a160fe 100644 --- a/src/main/java/de/adorsys/keycloak/config/service/GroupImportService.java +++ b/src/main/java/de/adorsys/keycloak/config/service/GroupImportService.java @@ -30,6 +30,7 @@ import org.keycloak.representations.idm.GroupRepresentation; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import org.springframework.util.CollectionUtils; @@ -38,6 +39,7 @@ import java.util.stream.Collectors; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class GroupImportService { private static final Logger logger = LoggerFactory.getLogger(GroupImportService.class); private static final int LOAD_CREATED_GROUP_MAX_RETRIES = 5; diff --git a/src/main/java/de/adorsys/keycloak/config/service/IdentityProviderImportService.java b/src/main/java/de/adorsys/keycloak/config/service/IdentityProviderImportService.java index d2dbfb63e..a444e14a2 100644 --- a/src/main/java/de/adorsys/keycloak/config/service/IdentityProviderImportService.java +++ b/src/main/java/de/adorsys/keycloak/config/service/IdentityProviderImportService.java @@ -30,6 +30,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.List; @@ -39,6 +40,7 @@ import static de.adorsys.keycloak.config.properties.ImportConfigProperties.ImportManagedProperties.ImportManagedPropertiesValues; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class IdentityProviderImportService { private static final Logger logger = LoggerFactory.getLogger(IdentityProviderImportService.class); diff --git a/src/main/java/de/adorsys/keycloak/config/service/MessageBundleImportService.java b/src/main/java/de/adorsys/keycloak/config/service/MessageBundleImportService.java index 5d415ba90..922ebcba2 100644 --- a/src/main/java/de/adorsys/keycloak/config/service/MessageBundleImportService.java +++ b/src/main/java/de/adorsys/keycloak/config/service/MessageBundleImportService.java @@ -29,6 +29,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.List; @@ -39,6 +40,7 @@ * Creates and updates message bundles in your realm */ @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class MessageBundleImportService { private static final Logger logger = LoggerFactory.getLogger(MessageBundleImportService.class); diff --git a/src/main/java/de/adorsys/keycloak/config/service/RealmImportService.java b/src/main/java/de/adorsys/keycloak/config/service/RealmImportService.java index c1af0878e..14c31518c 100644 --- a/src/main/java/de/adorsys/keycloak/config/service/RealmImportService.java +++ b/src/main/java/de/adorsys/keycloak/config/service/RealmImportService.java @@ -31,9 +31,11 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class RealmImportService { static final String[] ignoredPropertiesForRealmImport = new String[]{ "authenticatorConfig", diff --git a/src/main/java/de/adorsys/keycloak/config/service/RequiredActionsImportService.java b/src/main/java/de/adorsys/keycloak/config/service/RequiredActionsImportService.java index 602c0db55..1cc001119 100644 --- a/src/main/java/de/adorsys/keycloak/config/service/RequiredActionsImportService.java +++ b/src/main/java/de/adorsys/keycloak/config/service/RequiredActionsImportService.java @@ -30,6 +30,7 @@ import org.keycloak.representations.idm.RequiredActionProviderSimpleRepresentation; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.List; @@ -40,6 +41,7 @@ * Creates and updates required-actions in your realm */ @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class RequiredActionsImportService { private static final Logger logger = LoggerFactory.getLogger(RequiredActionsImportService.class); diff --git a/src/main/java/de/adorsys/keycloak/config/service/RoleImportService.java b/src/main/java/de/adorsys/keycloak/config/service/RoleImportService.java index 745e7cdb9..447e6815e 100644 --- a/src/main/java/de/adorsys/keycloak/config/service/RoleImportService.java +++ b/src/main/java/de/adorsys/keycloak/config/service/RoleImportService.java @@ -34,6 +34,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.List; @@ -44,6 +45,7 @@ import java.util.stream.Collectors; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class RoleImportService { private static final Logger logger = LoggerFactory.getLogger(RoleImportService.class); private static final String[] propertiesWithDependencies = new String[]{ diff --git a/src/main/java/de/adorsys/keycloak/config/service/ScopeMappingImportService.java b/src/main/java/de/adorsys/keycloak/config/service/ScopeMappingImportService.java index aab449917..602eca15c 100644 --- a/src/main/java/de/adorsys/keycloak/config/service/ScopeMappingImportService.java +++ b/src/main/java/de/adorsys/keycloak/config/service/ScopeMappingImportService.java @@ -30,6 +30,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.List; @@ -38,6 +39,7 @@ import java.util.Set; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class ScopeMappingImportService { private static final Logger logger = LoggerFactory.getLogger(ScopeMappingImportService.class); diff --git a/src/main/java/de/adorsys/keycloak/config/service/UserImportService.java b/src/main/java/de/adorsys/keycloak/config/service/UserImportService.java index 595805013..031409269 100644 --- a/src/main/java/de/adorsys/keycloak/config/service/UserImportService.java +++ b/src/main/java/de/adorsys/keycloak/config/service/UserImportService.java @@ -34,6 +34,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import org.springframework.util.StringUtils; @@ -42,6 +43,7 @@ import java.util.stream.Collectors; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class UserImportService { private static final Logger logger = LoggerFactory.getLogger(UserImportService.class); diff --git a/src/main/java/de/adorsys/keycloak/config/service/UserProfileImportService.java b/src/main/java/de/adorsys/keycloak/config/service/UserProfileImportService.java index 48ee64525..95fac2fa7 100644 --- a/src/main/java/de/adorsys/keycloak/config/service/UserProfileImportService.java +++ b/src/main/java/de/adorsys/keycloak/config/service/UserProfileImportService.java @@ -26,9 +26,11 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class UserProfileImportService { private static final Logger logger = LoggerFactory.getLogger(UserProfileImportService.class); diff --git a/src/main/java/de/adorsys/keycloak/config/service/checksum/ChecksumService.java b/src/main/java/de/adorsys/keycloak/config/service/checksum/ChecksumService.java index 87bd7b21a..2cd98d18d 100644 --- a/src/main/java/de/adorsys/keycloak/config/service/checksum/ChecksumService.java +++ b/src/main/java/de/adorsys/keycloak/config/service/checksum/ChecksumService.java @@ -31,6 +31,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.text.MessageFormat; @@ -38,6 +39,7 @@ import java.util.Objects; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class ChecksumService { private static final Logger logger = LoggerFactory.getLogger(ChecksumService.class); diff --git a/src/main/java/de/adorsys/keycloak/config/service/normalize/AttributeNormalizationService.java b/src/main/java/de/adorsys/keycloak/config/service/normalize/AttributeNormalizationService.java new file mode 100644 index 000000000..267faab0d --- /dev/null +++ b/src/main/java/de/adorsys/keycloak/config/service/normalize/AttributeNormalizationService.java @@ -0,0 +1,96 @@ +/*- + * ---license-start + * keycloak-config-cli + * --- + * Copyright (C) 2017 - 2022 adorsys GmbH & Co. KG @ https://adorsys.com + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package de.adorsys.keycloak.config.service.normalize; + +import org.javers.core.Javers; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.stereotype.Service; + +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Objects; + +import static de.adorsys.keycloak.config.service.normalize.RealmNormalizationService.*; + +@Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "NORMALIZE") +public class AttributeNormalizationService { + + private final Javers unOrderedJavers; + + public AttributeNormalizationService(Javers unOrderedJavers) { + this.unOrderedJavers = unOrderedJavers; + } + + public Map normalizeStringAttributes(Map exportedAttributes, Map baselineAttributes) { + var exportedOrEmpty = getNonNull(exportedAttributes); + var baselineOrEmpty = getNonNull(baselineAttributes); + var normalizedAttributes = new HashMap(); + for (var entry : baselineOrEmpty.entrySet()) { + var attributeName = entry.getKey(); + var baselineAttribute = entry.getValue(); + var exportedAttribute = exportedOrEmpty.remove(attributeName); + + if (!Objects.equals(baselineAttribute, exportedAttribute)) { + normalizedAttributes.put(attributeName, exportedAttribute); + } + } + normalizedAttributes.putAll(exportedOrEmpty); + return normalizedAttributes.isEmpty() ? null : normalizedAttributes; + } + + public Map> normalizeListAttributes(Map> exportedAttributes, + Map> baselineAttributes) { + var exportedOrEmpty = getNonNull(exportedAttributes); + var baselineOrEmpty = getNonNull(baselineAttributes); + var normalizedAttributes = new HashMap>(); + for (var entry : baselineOrEmpty.entrySet()) { + var attributeName = entry.getKey(); + var baselineAttribute = entry.getValue(); + var exportedAttribute = exportedOrEmpty.remove(attributeName); + + if (unOrderedJavers.compareCollections(baselineAttribute, exportedAttribute, String.class).hasChanges()) { + normalizedAttributes.put(attributeName, exportedAttribute); + } + } + normalizedAttributes.putAll(exportedOrEmpty); + return normalizedAttributes.isEmpty() ? null : normalizedAttributes; + } + + public boolean listAttributesChanged(Map> exportedAttributes, Map> baselineAttributes) { + var exportedOrEmpty = getNonNull(exportedAttributes); + var baselineOrEmpty = getNonNull(baselineAttributes); + + if (!Objects.equals(exportedOrEmpty.keySet(), baselineOrEmpty.keySet())) { + return true; + } + + for (var entry : baselineOrEmpty.entrySet()) { + if (unOrderedJavers.compareCollections(entry.getValue(), + exportedOrEmpty.get(entry.getKey()), String.class).hasChanges()) { + return true; + } + } + return false; + } + +} diff --git a/src/main/java/de/adorsys/keycloak/config/service/normalize/AuthFlowNormalizationService.java b/src/main/java/de/adorsys/keycloak/config/service/normalize/AuthFlowNormalizationService.java new file mode 100644 index 000000000..6f00051a4 --- /dev/null +++ b/src/main/java/de/adorsys/keycloak/config/service/normalize/AuthFlowNormalizationService.java @@ -0,0 +1,238 @@ +/*- + * ---license-start + * keycloak-config-cli + * --- + * Copyright (C) 2017 - 2022 adorsys GmbH & Co. KG @ https://adorsys.com + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package de.adorsys.keycloak.config.service.normalize; + +import org.javers.core.Javers; +import org.keycloak.representations.idm.AbstractAuthenticationExecutionRepresentation; +import org.keycloak.representations.idm.AuthenticationExecutionExportRepresentation; +import org.keycloak.representations.idm.AuthenticationFlowRepresentation; +import org.keycloak.representations.idm.AuthenticatorConfigRepresentation; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.stereotype.Service; + +import java.util.ArrayList; +import java.util.Collection; +import java.util.Comparator; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Objects; +import java.util.function.Function; +import java.util.stream.Collectors; + +import static de.adorsys.keycloak.config.service.normalize.RealmNormalizationService.getNonNull; +import static java.util.function.Predicate.not; + +@Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "NORMALIZE") +public class AuthFlowNormalizationService { + + private static final Logger logger = LoggerFactory.getLogger(AuthFlowNormalizationService.class); + + private final Javers unOrderedJavers; + + public AuthFlowNormalizationService(Javers unOrderedJavers) { + this.unOrderedJavers = unOrderedJavers; + } + + public List normalizeAuthFlows(List exportedAuthFlows, + List baselineAuthFlows) { + var exportedFiltered = filterBuiltIn(exportedAuthFlows); + var baselineFiltered = filterBuiltIn(baselineAuthFlows); + + Map exportedMap = exportedFiltered.stream() + .collect(Collectors.toMap(AuthenticationFlowRepresentation::getAlias, Function.identity())); + Map baselineMap = baselineFiltered.stream() + .collect(Collectors.toMap(AuthenticationFlowRepresentation::getAlias, Function.identity())); + + List normalizedFlows = new ArrayList<>(); + for (var entry : baselineMap.entrySet()) { + var alias = entry.getKey(); + var exportedFlow = exportedMap.remove(alias); + if (exportedFlow == null) { + logger.warn("Default realm authentication flow '{}' was deleted in exported realm. It may be reintroduced during import", alias); + continue; + } + var baselineFlow = entry.getValue(); + var diff = unOrderedJavers.compare(baselineFlow, exportedFlow); + + if (diff.hasChanges() || executionsChanged(exportedFlow.getAuthenticationExecutions(), baselineFlow.getAuthenticationExecutions())) { + normalizedFlows.add(exportedFlow); + } + } + normalizedFlows.addAll(exportedMap.values()); + for (var flow : normalizedFlows) { + flow.setId(null); + } + normalizedFlows = filterUnusedNonTopLevel(normalizedFlows); + detectBrokenAuthenticationFlows(normalizedFlows); + return normalizedFlows.isEmpty() ? null : normalizedFlows; + } + + public void detectBrokenAuthenticationFlows(List flows) { + var flowsByAlias = flows.stream().collect(Collectors.toMap(AuthenticationFlowRepresentation::getAlias, Function.identity())); + for (var flow : flows) { + for (var execution : flow.getAuthenticationExecutions()) { + var flowAlias = execution.getFlowAlias(); + var authenticator = execution.getAuthenticator(); + + if (flowAlias != null && authenticator != null) { + var referencedFlow = flowsByAlias.get(flowAlias); + if (!"form-flow".equals(referencedFlow.getProviderId())) { + logger.error("An execution of flow '{}' defines an authenticator and references the sub-flow '{}'." + + " This is only possible if the sub-flow is of type 'form-flow', but it is of type '{}'." + + " keycloak-config-cli will refuse to import this flow. See NORMALIZE.md for more information.", + flow.getAlias(), flowAlias, referencedFlow.getProviderId()); + } + } + } + } + + } + + public List normalizeAuthConfig(List configs, + List flows) { + var flowsOrEmpty = getNonNull(flows); + // Find out which configs are actually used by the normalized flows + var usedConfigs = flowsOrEmpty.stream() + .map(AuthenticationFlowRepresentation::getAuthenticationExecutions) + .map(l -> l.stream() + .map(AbstractAuthenticationExecutionRepresentation::getAuthenticatorConfig) + .collect(Collectors.toList())).flatMap(Collection::stream) + .collect(Collectors.toSet()); + + var configOrEmpty = getNonNull(configs); + // Only return configs that are used + var filteredConfigs = configOrEmpty.stream() + .filter(acr -> usedConfigs.contains(acr.getAlias())).collect(Collectors.toList()); + + var duplicates = new HashSet(); + var seen = new HashSet(); + for (var config : filteredConfigs) { + config.setId(null); + if (seen.contains(config.getAlias())) { + duplicates.add(config.getAlias()); + } else { + seen.add(config.getAlias()); + } + } + + if (!duplicates.isEmpty()) { + logger.warn("The following authenticator configs are duplicates: {}. " + + "Check NORMALIZE.md for an SQL query to find the offending entries in your database!", duplicates); + } + + if (configs.size() != filteredConfigs.size()) { + logger.warn("Some authenticator configs are unused. Check NORMALIZE.md for an SQL query to find the offending entries in your database!"); + } + return filteredConfigs.isEmpty() ? null : filteredConfigs; + } + + private List filterBuiltIn(List flows) { + if (flows == null) { + return new ArrayList<>(); + } + return flows.stream().filter(not(AuthenticationFlowRepresentation::isBuiltIn)).collect(Collectors.toList()); + } + + private List filterUnusedNonTopLevel(List flows) { + // Assume all top level flows are used + var usedFlows = flows.stream().filter(AuthenticationFlowRepresentation::isTopLevel).collect(Collectors.toList()); + var potentialUnused = flows.stream().filter(not(AuthenticationFlowRepresentation::isTopLevel)) + .collect(Collectors.toMap(AuthenticationFlowRepresentation::getAlias, Function.identity())); + var toCheck = new ArrayList<>(usedFlows); + while (!toCheck.isEmpty()) { + var toRemove = new ArrayList(); + for (var flow : toCheck) { + for (var execution : flow.getAuthenticationExecutions()) { + var alias = execution.getFlowAlias(); + if (alias != null && potentialUnused.containsKey(alias)) { + toRemove.add(alias); + } + } + } + toCheck.clear(); + for (var alias : toRemove) { + toCheck.add(potentialUnused.remove(alias)); + } + usedFlows.addAll(toCheck); + } + if (usedFlows.size() != flows.size()) { + logger.warn("The following authentication flows are unused: {}. " + + "Check NORMALIZE.md for an SQL query to find the offending entries in your database!", potentialUnused.keySet()); + } + return usedFlows; + } + + public boolean executionsChanged(List exportedExecutions, + List baselineExecutions) { + if (exportedExecutions == null && baselineExecutions != null) { + return true; + } + + if (exportedExecutions != null && baselineExecutions == null) { + return true; + } + + if (exportedExecutions == null) { + return false; + } + + if (exportedExecutions.size() != baselineExecutions.size()) { + return true; + } + + exportedExecutions.sort(Comparator.comparing(AbstractAuthenticationExecutionRepresentation::getPriority)); + baselineExecutions.sort(Comparator.comparing(AbstractAuthenticationExecutionRepresentation::getPriority)); + + for (int i = 0; i < exportedExecutions.size(); i++) { + if (executionChanged(exportedExecutions.get(i), baselineExecutions.get(i))) { + return true; + } + } + return false; + } + + public boolean executionChanged(AuthenticationExecutionExportRepresentation exportedExecution, + AuthenticationExecutionExportRepresentation baselineExecution) { + if (!Objects.equals(exportedExecution.getAuthenticatorConfig(), baselineExecution.getAuthenticatorConfig())) { + return true; + } + if (!Objects.equals(exportedExecution.getAuthenticator(), baselineExecution.getAuthenticator())) { + return true; + } + if (!Objects.equals(exportedExecution.isAuthenticatorFlow(), baselineExecution.isAuthenticatorFlow())) { + return true; + } + if (!Objects.equals(exportedExecution.getRequirement(), baselineExecution.getRequirement())) { + return true; + } + if (!Objects.equals(exportedExecution.getPriority(), baselineExecution.getPriority())) { + return true; + } + if (!Objects.equals(exportedExecution.getFlowAlias(), baselineExecution.getFlowAlias())) { + return true; + } + return !Objects.equals(exportedExecution.isUserSetupAllowed(), baselineExecution.isUserSetupAllowed()); + } +} diff --git a/src/main/java/de/adorsys/keycloak/config/service/normalize/ClientNormalizationService.java b/src/main/java/de/adorsys/keycloak/config/service/normalize/ClientNormalizationService.java new file mode 100644 index 000000000..e36b40063 --- /dev/null +++ b/src/main/java/de/adorsys/keycloak/config/service/normalize/ClientNormalizationService.java @@ -0,0 +1,169 @@ +/*- + * ---license-start + * keycloak-config-cli + * --- + * Copyright (C) 2017 - 2022 adorsys GmbH & Co. KG @ https://adorsys.com + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package de.adorsys.keycloak.config.service.normalize; + +import de.adorsys.keycloak.config.provider.BaselineProvider; +import de.adorsys.keycloak.config.util.JaversUtil; +import org.javers.core.Javers; +import org.javers.core.diff.changetype.PropertyChange; +import org.keycloak.representations.idm.AuthenticationFlowRepresentation; +import org.keycloak.representations.idm.ClientRepresentation; +import org.keycloak.representations.idm.ProtocolMapperRepresentation; +import org.keycloak.representations.idm.RealmRepresentation; +import org.keycloak.representations.idm.authorization.ResourceServerRepresentation; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.stereotype.Service; + +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Set; +import java.util.stream.Collectors; + +import static de.adorsys.keycloak.config.service.normalize.RealmNormalizationService.getNonNull; + +@Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "NORMALIZE") +public class ClientNormalizationService { + + private static final Set SAML_ATTRIBUTES = Set.of("saml_signature_canonicalization_method", "saml.onetimeuse.condition", + "saml_name_id_format", "saml.authnstatement", "saml.server.signature.keyinfo$xmlSigKeyInfoKeyNameTransformer", + "saml_force_name_id_format", "saml.artifact.binding", "saml.artifact.binding.identifier", "saml.server.signature", "saml.encrypt", + "saml.assertion.signature", "saml.allow.ecp.flow", "saml.signing.private.key", "saml.force.name.id.format", "saml.client.signature", + "saml.signature.algorithm", "saml.signing.certificate", "saml.server.signature.keyinfo.ext", "saml.multivalued.roles", + "saml.force.post.binding"); + + private static final Logger logger = LoggerFactory.getLogger(ClientNormalizationService.class); + private final Javers unOrderedJavers; + private final BaselineProvider baselineProvider; + private final JaversUtil javersUtil; + + public ClientNormalizationService(Javers unOrderedJavers, + BaselineProvider baselineProvider, + JaversUtil javersUtil) { + this.unOrderedJavers = unOrderedJavers; + this.baselineProvider = baselineProvider; + this.javersUtil = javersUtil; + } + + public List normalizeClients(RealmRepresentation exportedRealm, RealmRepresentation baselineRealm) { + var exportedOrEmpty = getNonNull(exportedRealm.getClients()); + var baselineOrEmpty = getNonNull(baselineRealm.getClients()); + var exportedClientMap = new HashMap(); + for (var exportedClient : exportedOrEmpty) { + exportedClientMap.put(exportedClient.getClientId(), exportedClient); + } + + var baselineClientMap = new HashMap(); + var clients = new ArrayList(); + for (var baselineRealmClient : baselineOrEmpty) { + var clientId = baselineRealmClient.getClientId(); + baselineClientMap.put(clientId, baselineRealmClient); + var exportedClient = exportedClientMap.get(clientId); + if (exportedClient == null) { + logger.warn("Default realm client '{}' was deleted in exported realm. It may be reintroduced during import!", clientId); + /* + * Here we need to define a configuration parameter: If we want the import *not* to reintroduce default clients that were + * deleted, we need to add *all* clients, not just default clients to the dump. Then during import, set the mode that + * makes clients fully managed, so that *only* clients that are in the dump end up in the realm + */ + continue; + } + if (clientChanged(exportedClient, baselineRealmClient)) { + // We know the client has changed in some way. Now, compare it to a default client to minimize it + clients.add(normalizeClient(exportedClient, exportedRealm.getKeycloakVersion(), exportedRealm)); + } + } + + // Now iterate over all the clients that are *not* default clients + for (Map.Entry e : exportedClientMap.entrySet()) { + if (!baselineClientMap.containsKey(e.getKey())) { + clients.add(normalizeClient(e.getValue(), exportedRealm.getKeycloakVersion(), exportedRealm)); + } + } + return clients; + } + + public ClientRepresentation normalizeClient(ClientRepresentation client, String keycloakVersion, RealmRepresentation exportedRealm) { + var clientId = client.getClientId(); + var baselineClient = baselineProvider.getClient(keycloakVersion, clientId); + var diff = unOrderedJavers.compare(baselineClient, client); + var normalizedClient = new ClientRepresentation(); + for (var change : diff.getChangesByType(PropertyChange.class)) { + javersUtil.applyChange(normalizedClient, change); + } + + // Always include protocol, even if it's the default "openid-connect" + normalizedClient.setProtocol(client.getProtocol()); + var mappers = client.getProtocolMappers(); + normalizedClient.setProtocolMappers(mappers); + if (mappers != null) { + for (var mapper : mappers) { + mapper.setId(null); + } + } + normalizedClient.setAuthorizationSettings(client.getAuthorizationSettings()); + normalizedClient.setClientId(clientId); + + // Older versions of keycloak include SAML attributes even in OIDC clients. Ignore these. + if (normalizedClient.getProtocol().equals("openid-connect") && normalizedClient.getAttributes() != null) { + normalizedClient.getAttributes().keySet().removeIf(SAML_ATTRIBUTES::contains); + } + + if (normalizedClient.getAuthenticationFlowBindingOverrides() != null) { + var overrides = new HashMap(); + var flows = exportedRealm.getAuthenticationFlows().stream() + .collect(Collectors.toMap(AuthenticationFlowRepresentation::getId, AuthenticationFlowRepresentation::getAlias)); + for (var entry : normalizedClient.getAuthenticationFlowBindingOverrides().entrySet()) { + var id = entry.getValue(); + overrides.put(entry.getKey(), flows.get(id)); + } + normalizedClient.setAuthenticationFlowBindingOverrides(overrides); + } + normalizedClient.setPublicClient(client.isPublicClient()); + return normalizedClient; + } + + public boolean clientChanged(ClientRepresentation exportedClient, ClientRepresentation baselineClient) { + var diff = unOrderedJavers.compare(baselineClient, exportedClient); + if (diff.hasChanges()) { + return true; + } + if (protocolMappersChanged(exportedClient.getProtocolMappers(), baselineClient.getProtocolMappers())) { + return true; + } + return authorizationSettingsChanged(exportedClient.getAuthorizationSettings(), baselineClient.getAuthorizationSettings()); + } + + public boolean protocolMappersChanged(List exportedMappers, List baselineMappers) { + // CompareCollections doesn't handle nulls gracefully + return unOrderedJavers.compareCollections(getNonNull(baselineMappers), getNonNull(exportedMappers), ProtocolMapperRepresentation.class) + .hasChanges(); + } + + public boolean authorizationSettingsChanged(ResourceServerRepresentation exportedSettings, ResourceServerRepresentation baselineSettings) { + return unOrderedJavers.compare(baselineSettings, exportedSettings).hasChanges(); + } + +} diff --git a/src/main/java/de/adorsys/keycloak/config/service/normalize/ClientPolicyNormalizationService.java b/src/main/java/de/adorsys/keycloak/config/service/normalize/ClientPolicyNormalizationService.java new file mode 100644 index 000000000..823e13257 --- /dev/null +++ b/src/main/java/de/adorsys/keycloak/config/service/normalize/ClientPolicyNormalizationService.java @@ -0,0 +1,49 @@ +/*- + * ---license-start + * keycloak-config-cli + * --- + * Copyright (C) 2017 - 2023 adorsys GmbH & Co. KG @ https://adorsys.com + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package de.adorsys.keycloak.config.service.normalize; + +import org.keycloak.representations.idm.ClientPoliciesRepresentation; +import org.keycloak.representations.idm.ClientProfilesRepresentation; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.stereotype.Service; + +@Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "NORMALIZE") +public class ClientPolicyNormalizationService { + + public ClientPoliciesRepresentation normalizePolicies(ClientPoliciesRepresentation exportedPolicies, + ClientPoliciesRepresentation baselinePolicies) { + var policies = exportedPolicies.getPolicies(); + if (policies == null || policies.isEmpty()) { + return null; + } + return exportedPolicies; + } + + public ClientProfilesRepresentation normalizeProfiles(ClientProfilesRepresentation exportedProfiles, + ClientProfilesRepresentation baselineProfiles) { + var profiles = exportedProfiles.getProfiles(); + if (profiles == null || profiles.isEmpty()) { + return null; + } + return exportedProfiles; + } +} diff --git a/src/main/java/de/adorsys/keycloak/config/service/normalize/ClientScopeNormalizationService.java b/src/main/java/de/adorsys/keycloak/config/service/normalize/ClientScopeNormalizationService.java new file mode 100644 index 000000000..3825beee2 --- /dev/null +++ b/src/main/java/de/adorsys/keycloak/config/service/normalize/ClientScopeNormalizationService.java @@ -0,0 +1,107 @@ +/*- + * ---license-start + * keycloak-config-cli + * --- + * Copyright (C) 2017 - 2022 adorsys GmbH & Co. KG @ https://adorsys.com + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package de.adorsys.keycloak.config.service.normalize; + +import org.javers.core.Javers; +import org.keycloak.representations.idm.ClientScopeRepresentation; +import org.keycloak.representations.idm.ProtocolMapperRepresentation; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.stereotype.Service; + +import java.util.ArrayList; +import java.util.List; +import java.util.function.Function; +import java.util.stream.Collectors; + +import static de.adorsys.keycloak.config.service.normalize.RealmNormalizationService.getNonNull; + +@Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "NORMALIZE") +public class ClientScopeNormalizationService { + + private static final Logger logger = LoggerFactory.getLogger(ClientScopeNormalizationService.class); + + private final Javers unOrderedJavers; + + public ClientScopeNormalizationService(Javers unOrderedJavers) { + this.unOrderedJavers = unOrderedJavers; + } + + public List normalizeClientScopes(List exportedScopes, + List baselineScopes) { + var exportedOrEmpty = getNonNull(exportedScopes); + var baselineOrEmpty = getNonNull(baselineScopes); + + var exportedMap = exportedOrEmpty.stream().collect(Collectors.toMap(ClientScopeRepresentation::getName, + Function.identity())); + var baselineMap = baselineOrEmpty.stream().collect(Collectors.toMap(ClientScopeRepresentation::getName, + Function.identity())); + + var normalizedScopes = new ArrayList(); + for (var entry : baselineMap.entrySet()) { + var scopeName = entry.getKey(); + var baselineScope = entry.getValue(); + var exportedScope = exportedMap.remove(scopeName); + + if (exportedScope == null) { + logger.warn("Default realm clientScope '{}' was deleted in exported realm. It may be reintroduced during import!", scopeName); + continue; + } + + if (clientScopeChanged(exportedScope, baselineScope)) { + normalizedScopes.add(exportedScope); + } + } + normalizedScopes.addAll(exportedMap.values()); + + normalizeList(normalizedScopes); + return normalizedScopes.isEmpty() ? null : normalizedScopes; + } + + private static void normalizeList(ArrayList normalizedScopes) { + for (var scope : normalizedScopes) { + scope.setId(null); + if (scope.getProtocolMappers() != null) { + for (var mapper : scope.getProtocolMappers()) { + mapper.setId(null); + } + if (scope.getProtocolMappers().isEmpty()) { + scope.setProtocolMappers(null); + } + } + } + } + + public boolean clientScopeChanged(ClientScopeRepresentation exportedScope, ClientScopeRepresentation baselineScope) { + if (unOrderedJavers.compare(baselineScope, exportedScope).hasChanges()) { + return true; + } + + return protocolMappersChanged(exportedScope.getProtocolMappers(), baselineScope.getProtocolMappers()); + } + + public boolean protocolMappersChanged(List exportedMappers, List baselineMappers) { + return unOrderedJavers.compareCollections(getNonNull(baselineMappers), getNonNull(exportedMappers), + ProtocolMapperRepresentation.class).hasChanges(); + } +} diff --git a/src/main/java/de/adorsys/keycloak/config/service/normalize/ComponentNormalizationService.java b/src/main/java/de/adorsys/keycloak/config/service/normalize/ComponentNormalizationService.java new file mode 100644 index 000000000..274fa709f --- /dev/null +++ b/src/main/java/de/adorsys/keycloak/config/service/normalize/ComponentNormalizationService.java @@ -0,0 +1,90 @@ +/*- + * ---license-start + * keycloak-config-cli + * --- + * Copyright (C) 2017 - 2022 adorsys GmbH & Co. KG @ https://adorsys.com + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package de.adorsys.keycloak.config.service.normalize; + +import org.javers.core.Javers; +import org.keycloak.common.util.MultivaluedHashMap; +import org.keycloak.representations.idm.ComponentExportRepresentation; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.stereotype.Service; + +import java.util.List; + +import static de.adorsys.keycloak.config.service.normalize.RealmNormalizationService.getNonNull; + +@Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "NORMALIZE") +public class ComponentNormalizationService { + + private static final Logger logger = LoggerFactory.getLogger(ComponentNormalizationService.class); + + private final Javers unOrderedJavers; + + public ComponentNormalizationService(Javers unOrderedJavers) { + this.unOrderedJavers = unOrderedJavers; + } + + public MultivaluedHashMap + normalizeComponents(MultivaluedHashMap exportedComponents, + MultivaluedHashMap baselineComponents) { + var exportedOrEmpty = getNonNull(exportedComponents); + var baselineOrEmpty = getNonNull(baselineComponents); + + var normalizedMap = new MultivaluedHashMap(); + for (var entry : baselineOrEmpty.entrySet()) { + var componentClass = entry.getKey(); + + var exportedList = exportedOrEmpty.remove(componentClass); + + if (exportedList == null) { + logger.warn("Default realm component '{}' was deleted in exported realm. It may be reintroduced during import!", componentClass); + continue; + } + var baselineList = entry.getValue(); + var normalizedList = normalizeList(exportedList, baselineList, componentClass); + normalizedMap.put(componentClass, normalizedList); + } + normalizedMap.putAll(exportedOrEmpty); + //var toRemove = new HashSet(); + for (var entry : normalizedMap.entrySet()) { + var componentList = entry.getValue(); + for (var component : componentList) { + normalizeEntry(component); + } + } + return new MultivaluedHashMap<>(); + } + + public List normalizeList(List exportedComponents, + List baselineComponents, + String componentClass) { + return List.of(); + } + + public void normalizeEntry(ComponentExportRepresentation component) { + component.setId(null); + if (component.getConfig() != null && component.getConfig().isEmpty()) { + component.setConfig(null); + } + } +} diff --git a/src/main/java/de/adorsys/keycloak/config/service/normalize/GroupNormalizationService.java b/src/main/java/de/adorsys/keycloak/config/service/normalize/GroupNormalizationService.java new file mode 100644 index 000000000..10cf28c6b --- /dev/null +++ b/src/main/java/de/adorsys/keycloak/config/service/normalize/GroupNormalizationService.java @@ -0,0 +1,141 @@ +/*- + * ---license-start + * keycloak-config-cli + * --- + * Copyright (C) 2017 - 2022 adorsys GmbH & Co. KG @ https://adorsys.com + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package de.adorsys.keycloak.config.service.normalize; + +import org.javers.core.Javers; +import org.keycloak.representations.idm.GroupRepresentation; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.stereotype.Service; + +import java.util.ArrayList; +import java.util.List; +import java.util.Map; +import java.util.function.Function; +import java.util.stream.Collectors; + +import static de.adorsys.keycloak.config.service.normalize.RealmNormalizationService.getNonNull; + +@Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "NORMALIZE") +public class GroupNormalizationService { + + private static final Logger logger = LoggerFactory.getLogger(GroupNormalizationService.class); + + private final Javers unOrderedJavers; + private final AttributeNormalizationService attributeNormalizationService; + + public GroupNormalizationService(Javers unOrderedJavers, + AttributeNormalizationService attributeNormalizationService) { + this.unOrderedJavers = unOrderedJavers; + this.attributeNormalizationService = attributeNormalizationService; + } + + public List normalizeGroups(List exportedGroups, List baselineGroups) { + var exportedOrEmpty = getNonNull(exportedGroups); + var baselineOrEmpty = getNonNull(baselineGroups); + var exportedGroupsMap = exportedOrEmpty.stream() + .collect(Collectors.toMap(GroupRepresentation::getPath, Function.identity())); + var baselineGroupsMap = baselineOrEmpty.stream() + .collect(Collectors.toMap(GroupRepresentation::getPath, Function.identity())); + + var normalizedGroups = new ArrayList(); + for (var entry : baselineGroupsMap.entrySet()) { + var groupPath = entry.getKey(); + var exportedGroup = exportedGroupsMap.remove(groupPath); + if (exportedGroup == null) { + logger.warn("Default realm group '{}' was deleted in exported realm. It may be reintroduced during import", groupPath); + continue; + } + var baselineGroup = entry.getValue(); + var diff = unOrderedJavers.compare(baselineGroup, exportedGroup); + + if (diff.hasChanges() || subGroupsChanged(exportedGroup, baselineGroup) + || attributeNormalizationService.listAttributesChanged(exportedGroup.getAttributes(), baselineGroup.getAttributes()) + || attributeNormalizationService.listAttributesChanged(exportedGroup.getClientRoles(), baselineGroup.getClientRoles())) { + normalizedGroups.add(exportedGroup); + } + } + normalizedGroups.addAll(exportedGroupsMap.values()); + normalizeGroupList(normalizedGroups); + return normalizedGroups.isEmpty() ? null : normalizedGroups; + } + + public boolean subGroupsChanged(GroupRepresentation exportedGroup, GroupRepresentation baselineGroup) { + if (exportedGroup.getSubGroups() == null && baselineGroup.getSubGroups() != null) { + return true; + } + if (exportedGroup.getSubGroups() != null && baselineGroup.getSubGroups() == null) { + return true; + } + if (exportedGroup.getSubGroups() == null && baselineGroup.getSubGroups() == null) { + return false; + } + + Map exportedSubGroups = exportedGroup.getSubGroups().stream() + .collect(Collectors.toMap(GroupRepresentation::getPath, Function.identity())); + Map baselineSubGroups = baselineGroup.getSubGroups().stream() + .collect(Collectors.toMap(GroupRepresentation::getPath, Function.identity())); + + for (var entry : baselineSubGroups.entrySet()) { + var groupPath = entry.getKey(); + var exportedSubGroup = exportedSubGroups.remove(groupPath); + + if (exportedSubGroup == null) { + // There's a subgroup in the baseline that's gone in the export. This counts as a change. + return true; + } + var baselineSubGroup = entry.getValue(); + if (unOrderedJavers.compare(baselineSubGroup, exportedSubGroup).hasChanges()) { + return true; + } + if (subGroupsChanged(exportedSubGroup, baselineSubGroup)) { + return true; + } + } + + // There are subgroups in the export that are not in the baseline. This is a change. + return !exportedSubGroups.isEmpty(); + } + + public void normalizeGroupList(List groups) { + for (var group : groups) { + if (group.getAttributes() != null && group.getAttributes().isEmpty()) { + group.setAttributes(null); + } + if (group.getRealmRoles() != null && group.getRealmRoles().isEmpty()) { + group.setRealmRoles(null); + } + if (group.getClientRoles() != null && group.getClientRoles().isEmpty()) { + group.setClientRoles(null); + } + if (group.getSubGroups() != null) { + if (group.getSubGroups().isEmpty()) { + group.setSubGroups(null); + } else { + normalizeGroupList(group.getSubGroups()); + } + } + group.setId(null); + } + } +} diff --git a/src/main/java/de/adorsys/keycloak/config/service/normalize/IdentityProviderNormalizationService.java b/src/main/java/de/adorsys/keycloak/config/service/normalize/IdentityProviderNormalizationService.java new file mode 100644 index 000000000..a5d87cdcf --- /dev/null +++ b/src/main/java/de/adorsys/keycloak/config/service/normalize/IdentityProviderNormalizationService.java @@ -0,0 +1,149 @@ +/*- + * ---license-start + * keycloak-config-cli + * --- + * Copyright (C) 2017 - 2022 adorsys GmbH & Co. KG @ https://adorsys.com + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package de.adorsys.keycloak.config.service.normalize; + +import org.javers.core.Javers; +import org.keycloak.representations.idm.IdentityProviderMapperRepresentation; +import org.keycloak.representations.idm.IdentityProviderRepresentation; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.stereotype.Service; + +import java.util.ArrayList; +import java.util.List; +import java.util.Objects; +import java.util.function.Function; +import java.util.stream.Collectors; + +import static de.adorsys.keycloak.config.service.normalize.RealmNormalizationService.getNonNull; + +@Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "NORMALIZE") +public class IdentityProviderNormalizationService { + + private static final Logger logger = LoggerFactory.getLogger(IdentityProviderNormalizationService.class); + + private final Javers unOrderedJavers; + + public IdentityProviderNormalizationService(Javers unOrderedJavers) { + this.unOrderedJavers = unOrderedJavers; + } + + public List normalizeProviders(List exportedProviders, + List baselineProviders) { + var exportedOrEmpty = getNonNull(exportedProviders); + var baselineOrEmpty = getNonNull(baselineProviders); + + var exportedMap = exportedOrEmpty.stream() + .collect(Collectors.toMap(IdentityProviderRepresentation::getAlias, Function.identity())); + var baselineMap = baselineOrEmpty.stream() + .collect(Collectors.toMap(IdentityProviderRepresentation::getAlias, Function.identity())); + + var normalizedProviders = new ArrayList(); + for (var entry : baselineMap.entrySet()) { + var alias = entry.getKey(); + var exportedProvider = exportedMap.remove(alias); + if (exportedProvider == null) { + logger.warn("Default realm identityProvider '{}' was deleted in exported realm. It may be reintroduced during import!", alias); + continue; + } + var baselineProvider = entry.getValue(); + + var diff = unOrderedJavers.compare(baselineProvider, exportedProvider); + if (diff.hasChanges()) { + normalizedProviders.add(exportedProvider); + } + } + normalizedProviders.addAll(exportedMap.values()); + for (var provider : normalizedProviders) { + provider.setInternalId(null); + if (provider.getConfig() != null && provider.getConfig().isEmpty()) { + provider.setConfig(null); + } + } + return normalizedProviders.isEmpty() ? null : normalizedProviders; + } + + public List normalizeMappers(List exportedMappers, + List baselineMappers) { + var exportedOrEmpty = getNonNull(exportedMappers); + var baselineOrEmpty = getNonNull(baselineMappers); + + var exportedMap = exportedOrEmpty.stream() + .collect(Collectors.toMap(m -> new MapperKey(m.getName(), m.getIdentityProviderAlias()), Function.identity())); + var baselineMap = baselineOrEmpty.stream() + .collect(Collectors.toMap(m -> new MapperKey(m.getName(), m.getIdentityProviderAlias()), Function.identity())); + + var normalizedMappers = new ArrayList(); + for (var entry : baselineMap.entrySet()) { + var key = entry.getKey(); + var exportedMapper = exportedMap.remove(key); + if (exportedMapper == null) { + logger.warn("Default realm identityProviderMapper '{}' for idp '{}' was deleted in exported realm." + + "It may be reintroduced during import!", key.getName(), key.getIdentityProviderAlias()); + continue; + } + var baselineMapper = entry.getValue(); + + var diff = unOrderedJavers.compare(baselineMapper, exportedMapper); + if (diff.hasChanges()) { + normalizedMappers.add(exportedMapper); + } + } + normalizedMappers.addAll(exportedMap.values()); + for (var mapper : normalizedMappers) { + mapper.setId(null); + } + return normalizedMappers.isEmpty() ? null : normalizedMappers; + } + + private static class MapperKey { + private final String name; + private final String identityProviderAlias; + + public MapperKey(String name, String identityProviderAlias) { + this.name = name; + this.identityProviderAlias = identityProviderAlias; + } + + public String getName() { + return name; + } + + public String getIdentityProviderAlias() { + return identityProviderAlias; + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + MapperKey mapperKey = (MapperKey) o; + return Objects.equals(name, mapperKey.name) && Objects.equals(identityProviderAlias, mapperKey.identityProviderAlias); + } + + @Override + public int hashCode() { + return Objects.hash(name, identityProviderAlias); + } + } +} diff --git a/src/main/java/de/adorsys/keycloak/config/service/normalize/ProtocolMapperNormalizationService.java b/src/main/java/de/adorsys/keycloak/config/service/normalize/ProtocolMapperNormalizationService.java new file mode 100644 index 000000000..1a65f85b6 --- /dev/null +++ b/src/main/java/de/adorsys/keycloak/config/service/normalize/ProtocolMapperNormalizationService.java @@ -0,0 +1,82 @@ +/*- + * ---license-start + * keycloak-config-cli + * --- + * Copyright (C) 2017 - 2022 adorsys GmbH & Co. KG @ https://adorsys.com + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package de.adorsys.keycloak.config.service.normalize; + +import org.javers.core.Javers; +import org.keycloak.representations.idm.ProtocolMapperRepresentation; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.stereotype.Service; + +import java.util.ArrayList; +import java.util.List; +import java.util.function.Function; +import java.util.stream.Collectors; + +import static de.adorsys.keycloak.config.service.normalize.RealmNormalizationService.getNonNull; + +@Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "NORMALIZE") +public class ProtocolMapperNormalizationService { + + private static final Logger logger = LoggerFactory.getLogger(IdentityProviderNormalizationService.class); + + private final Javers unOrderedJavers; + + public ProtocolMapperNormalizationService(Javers unOrderedJavers) { + this.unOrderedJavers = unOrderedJavers; + } + + public List normalizeProtocolMappers(List exportedMappers, + List baselineMappers) { + var exportedOrEmpty = getNonNull(exportedMappers); + var baselineOrEmpty = getNonNull(baselineMappers); + + var exportedMap = exportedOrEmpty.stream() + .collect(Collectors.toMap(ProtocolMapperRepresentation::getName, Function.identity())); + var baselineMap = baselineOrEmpty.stream() + .collect(Collectors.toMap(ProtocolMapperRepresentation::getName, Function.identity())); + var normalizedMappers = new ArrayList(); + + for (var entry : baselineMap.entrySet()) { + var name = entry.getKey(); + var exportedMapper = exportedMap.remove(name); + if (exportedMapper == null) { + logger.warn("Default realm protocolMapper '{}' was deleted in exported realm. It may be reintroduced during import!", name); + continue; + } + + var baselineMapper = entry.getValue(); + if (unOrderedJavers.compare(baselineMapper, exportedMapper).hasChanges()) { + normalizedMappers.add(exportedMapper); + } + } + normalizedMappers.addAll(exportedMap.values()); + for (var mapper : normalizedMappers) { + mapper.setId(null); + if (mapper.getConfig() != null && mapper.getConfig().isEmpty()) { + mapper.setConfig(null); + } + } + return normalizedMappers.isEmpty() ? null : normalizedMappers; + } +} diff --git a/src/main/java/de/adorsys/keycloak/config/service/normalize/RealmNormalizationService.java b/src/main/java/de/adorsys/keycloak/config/service/normalize/RealmNormalizationService.java new file mode 100644 index 000000000..cb9e1b16b --- /dev/null +++ b/src/main/java/de/adorsys/keycloak/config/service/normalize/RealmNormalizationService.java @@ -0,0 +1,211 @@ +/*- + * ---license-start + * keycloak-config-cli + * --- + * Copyright (C) 2017 - 2022 adorsys GmbH & Co. KG @ https://adorsys.com + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package de.adorsys.keycloak.config.service.normalize; + +import de.adorsys.keycloak.config.properties.NormalizationKeycloakConfigProperties; +import de.adorsys.keycloak.config.provider.BaselineProvider; +import de.adorsys.keycloak.config.util.JaversUtil; +import org.javers.core.Javers; +import org.javers.core.diff.changetype.PropertyChange; +import org.keycloak.representations.idm.RealmRepresentation; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.stereotype.Service; + +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Objects; + +@Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "NORMALIZE") +public class RealmNormalizationService { + + private static final Logger logger = LoggerFactory.getLogger(RealmNormalizationService.class); + + private final NormalizationKeycloakConfigProperties keycloakConfigProperties; + private final Javers javers; + private final BaselineProvider baselineProvider; + private final ClientNormalizationService clientNormalizationService; + private final ScopeMappingNormalizationService scopeMappingNormalizationService; + private final ProtocolMapperNormalizationService protocolMapperNormalizationService; + private final ClientScopeNormalizationService clientScopeNormalizationService; + private final RoleNormalizationService roleNormalizationService; + private final AttributeNormalizationService attributeNormalizationService; + private final GroupNormalizationService groupNormalizationService; + private final AuthFlowNormalizationService authFlowNormalizationService; + private final IdentityProviderNormalizationService identityProviderNormalizationService; + private final RequiredActionNormalizationService requiredActionNormalizationService; + private final UserFederationNormalizationService userFederationNormalizationService; + private final ClientPolicyNormalizationService clientPolicyNormalizationService; + private final JaversUtil javersUtil; + + @Autowired + public RealmNormalizationService(NormalizationKeycloakConfigProperties keycloakConfigProperties, + Javers javers, + BaselineProvider baselineProvider, + ClientNormalizationService clientNormalizationService, + ScopeMappingNormalizationService scopeMappingNormalizationService, + ProtocolMapperNormalizationService protocolMapperNormalizationService, + ClientScopeNormalizationService clientScopeNormalizationService, + RoleNormalizationService roleNormalizationService, + AttributeNormalizationService attributeNormalizationService, + GroupNormalizationService groupNormalizationService, + AuthFlowNormalizationService authFlowNormalizationService, + IdentityProviderNormalizationService identityProviderNormalizationService, + RequiredActionNormalizationService requiredActionNormalizationService, + UserFederationNormalizationService userFederationNormalizationService, + ClientPolicyNormalizationService clientPolicyNormalizationService, + JaversUtil javersUtil) { + this.keycloakConfigProperties = keycloakConfigProperties; + this.javers = javers; + this.baselineProvider = baselineProvider; + this.clientNormalizationService = clientNormalizationService; + this.scopeMappingNormalizationService = scopeMappingNormalizationService; + this.protocolMapperNormalizationService = protocolMapperNormalizationService; + this.clientScopeNormalizationService = clientScopeNormalizationService; + this.roleNormalizationService = roleNormalizationService; + this.attributeNormalizationService = attributeNormalizationService; + this.groupNormalizationService = groupNormalizationService; + this.authFlowNormalizationService = authFlowNormalizationService; + this.identityProviderNormalizationService = identityProviderNormalizationService; + this.requiredActionNormalizationService = requiredActionNormalizationService; + this.userFederationNormalizationService = userFederationNormalizationService; + this.clientPolicyNormalizationService = clientPolicyNormalizationService; + this.javersUtil = javersUtil; + + // TODO allow extra "default" values to be ignored? + + // TODO Ignore clients by regex + } + + public RealmRepresentation normalizeRealm(RealmRepresentation exportedRealm) { + var keycloakConfigVersion = keycloakConfigProperties.getVersion(); + var exportVersion = exportedRealm.getKeycloakVersion(); + if (!exportVersion.equals(keycloakConfigVersion)) { + logger.warn("Keycloak-Config-CLI keycloak version {} and export keycloak version {} are not equal." + + " This may cause problems if the API changed." + + " Please compile keycloak-config-cli with a matching keycloak version!", + keycloakConfigVersion, exportVersion); + } + var exportedRealmRealm = exportedRealm.getRealm(); + logger.info("Exporting realm {}", exportedRealmRealm); + var baselineRealm = baselineProvider.getRealm(exportVersion, exportedRealmRealm); + + /* + * Trick javers into thinking this is the "same" object, by setting the ID on the reference realm + * to the ID of the current realm. That way we only get actual changes, not a full list of changes + * including the "object removed" and "object added" changes + */ + baselineRealm.setRealm(exportedRealm.getRealm()); + var minimizedRealm = new RealmRepresentation(); + + handleBaseRealm(exportedRealm, baselineRealm, minimizedRealm); + + var clients = clientNormalizationService.normalizeClients(exportedRealm, baselineRealm); + if (!clients.isEmpty()) { + minimizedRealm.setClients(clients); + } + + // No setter for some reason... + var minimizedScopeMappings = scopeMappingNormalizationService.normalizeScopeMappings(exportedRealm, baselineRealm); + if (!minimizedScopeMappings.isEmpty()) { + var scopeMappings = minimizedRealm.getScopeMappings(); + if (scopeMappings == null) { + minimizedRealm.clientScopeMapping("dummy"); + scopeMappings = minimizedRealm.getScopeMappings(); + scopeMappings.clear(); + } + scopeMappings.addAll(minimizedScopeMappings); + } + + var clientScopeMappings = scopeMappingNormalizationService.normalizeClientScopeMappings(exportedRealm, baselineRealm); + if (!clientScopeMappings.isEmpty()) { + minimizedRealm.setClientScopeMappings(clientScopeMappings); + } + + minimizedRealm.setAttributes(attributeNormalizationService.normalizeStringAttributes(exportedRealm.getAttributes(), + baselineRealm.getAttributes())); + + minimizedRealm.setProtocolMappers(protocolMapperNormalizationService.normalizeProtocolMappers(exportedRealm.getProtocolMappers(), + baselineRealm.getProtocolMappers())); + + minimizedRealm.setClientScopes(clientScopeNormalizationService.normalizeClientScopes(exportedRealm.getClientScopes(), + baselineRealm.getClientScopes())); + + minimizedRealm.setRoles(roleNormalizationService.normalizeRoles(exportedRealm.getRoles(), baselineRealm.getRoles())); + + minimizedRealm.setGroups(groupNormalizationService.normalizeGroups(exportedRealm.getGroups(), baselineRealm.getGroups())); + + var authFlows = authFlowNormalizationService.normalizeAuthFlows(exportedRealm.getAuthenticationFlows(), + baselineRealm.getAuthenticationFlows()); + minimizedRealm.setAuthenticationFlows(authFlows); + minimizedRealm.setAuthenticatorConfig(authFlowNormalizationService.normalizeAuthConfig(exportedRealm.getAuthenticatorConfig(), authFlows)); + + minimizedRealm.setIdentityProviders(identityProviderNormalizationService.normalizeProviders(exportedRealm.getIdentityProviders(), + baselineRealm.getIdentityProviders())); + minimizedRealm.setIdentityProviderMappers(identityProviderNormalizationService.normalizeMappers(exportedRealm.getIdentityProviderMappers(), + baselineRealm.getIdentityProviderMappers())); + + minimizedRealm.setRequiredActions(requiredActionNormalizationService.normalizeRequiredActions(exportedRealm.getRequiredActions(), + baselineRealm.getRequiredActions())); + minimizedRealm.setUserFederationProviders(userFederationNormalizationService.normalizeProviders(exportedRealm.getUserFederationProviders(), + baselineRealm.getUserFederationProviders())); + minimizedRealm.setUserFederationMappers(userFederationNormalizationService.normalizeMappers(exportedRealm.getUserFederationMappers(), + baselineRealm.getUserFederationMappers())); + + minimizedRealm.setParsedClientPolicies(clientPolicyNormalizationService.normalizePolicies(exportedRealm.getParsedClientPolicies(), + baselineRealm.getParsedClientPolicies())); + minimizedRealm.setParsedClientProfiles(clientPolicyNormalizationService.normalizeProfiles(exportedRealm.getParsedClientProfiles(), + baselineRealm.getParsedClientProfiles())); + return minimizedRealm; + } + + private void handleBaseRealm(RealmRepresentation exportedRealm, RealmRepresentation baselineRealm, RealmRepresentation minimizedRealm) { + var diff = javers.compare(baselineRealm, exportedRealm); + for (var change : diff.getChangesByType(PropertyChange.class)) { + javersUtil.applyChange(minimizedRealm, change); + } + + // Now that Javers is done, clean up a bit afterwards. We always need to set the realm and enabled fields + minimizedRealm.setRealm(exportedRealm.getRealm()); + minimizedRealm.setEnabled(exportedRealm.isEnabled()); + + // If the realm ID diverges from the name, include it in the dump, otherwise remove it + if (Objects.equals(exportedRealm.getRealm(), exportedRealm.getId())) { + minimizedRealm.setId(null); + } else { + minimizedRealm.setId(exportedRealm.getId()); + } + } + + + public static Map getNonNull(Map in) { + return in == null ? new HashMap<>() : in; + } + + public static List getNonNull(List in) { + return in == null ? new ArrayList<>() : in; + } +} diff --git a/src/main/java/de/adorsys/keycloak/config/service/normalize/RequiredActionNormalizationService.java b/src/main/java/de/adorsys/keycloak/config/service/normalize/RequiredActionNormalizationService.java new file mode 100644 index 000000000..361357d0d --- /dev/null +++ b/src/main/java/de/adorsys/keycloak/config/service/normalize/RequiredActionNormalizationService.java @@ -0,0 +1,77 @@ +/*- + * ---license-start + * keycloak-config-cli + * --- + * Copyright (C) 2017 - 2022 adorsys GmbH & Co. KG @ https://adorsys.com + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package de.adorsys.keycloak.config.service.normalize; + +import org.javers.core.Javers; +import org.keycloak.representations.idm.RequiredActionProviderRepresentation; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.stereotype.Service; + +import java.util.ArrayList; +import java.util.List; +import java.util.function.Function; +import java.util.stream.Collectors; + +import static de.adorsys.keycloak.config.service.normalize.RealmNormalizationService.getNonNull; + +@Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "NORMALIZE") +public class RequiredActionNormalizationService { + + private static final Logger logger = LoggerFactory.getLogger(RequiredActionNormalizationService.class); + + private final Javers javers; + + public RequiredActionNormalizationService(Javers javers) { + this.javers = javers; + } + + public List normalizeRequiredActions(List exportedActions, + List baselineActions) { + var exportedOrEmpty = getNonNull(exportedActions); + var baselineOrEmpty = getNonNull(baselineActions); + + var exportedMap = exportedOrEmpty.stream() + .collect(Collectors.toMap(RequiredActionProviderRepresentation::getAlias, Function.identity())); + var baselineMap = baselineOrEmpty.stream() + .collect(Collectors.toMap(RequiredActionProviderRepresentation::getAlias, Function.identity())); + + var normalizedActions = new ArrayList(); + for (var entry : baselineMap.entrySet()) { + var alias = entry.getKey(); + var exportedAction = exportedMap.remove(alias); + if (exportedAction == null) { + logger.warn("Default realm requiredAction '{}' was deleted in exported realm. It may be reintroduced during import", alias); + continue; + } + var baselineAction = entry.getValue(); + + var diff = javers.compare(baselineAction, exportedAction); + if (diff.hasChanges()) { + normalizedActions.add(exportedAction); + } + } + normalizedActions.addAll(exportedMap.values()); + return normalizedActions.isEmpty() ? null : normalizedActions; + } +} diff --git a/src/main/java/de/adorsys/keycloak/config/service/normalize/RoleNormalizationService.java b/src/main/java/de/adorsys/keycloak/config/service/normalize/RoleNormalizationService.java new file mode 100644 index 000000000..a4209b8a3 --- /dev/null +++ b/src/main/java/de/adorsys/keycloak/config/service/normalize/RoleNormalizationService.java @@ -0,0 +1,161 @@ +/*- + * ---license-start + * keycloak-config-cli + * --- + * Copyright (C) 2017 - 2022 adorsys GmbH & Co. KG @ https://adorsys.com + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package de.adorsys.keycloak.config.service.normalize; + +import org.javers.core.Javers; +import org.keycloak.representations.idm.RoleRepresentation; +import org.keycloak.representations.idm.RolesRepresentation; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.stereotype.Service; + +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.function.Function; +import java.util.stream.Collectors; + +import static de.adorsys.keycloak.config.service.normalize.RealmNormalizationService.getNonNull; + +@Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "NORMALIZE") +public class RoleNormalizationService { + + private static final Logger logger = LoggerFactory.getLogger(RoleNormalizationService.class); + + private final Javers unOrderedJavers; + private final AttributeNormalizationService attributeNormalizationService; + + @Autowired + public RoleNormalizationService(Javers unOrderedJavers, AttributeNormalizationService attributeNormalizationService) { + this.unOrderedJavers = unOrderedJavers; + this.attributeNormalizationService = attributeNormalizationService; + } + + public RolesRepresentation normalizeRoles(RolesRepresentation exportedRoles, RolesRepresentation baselineRoles) { + var exportedOrEmpty = exportedRoles == null ? new RolesRepresentation() : exportedRoles; + var baselineOrEmpty = baselineRoles == null ? new RolesRepresentation() : baselineRoles; + var clientRoles = normalizeClientRoles(exportedOrEmpty.getClient(), baselineOrEmpty.getClient()); + var realmRoles = normalizeRealmRoles(exportedOrEmpty.getRealm(), baselineOrEmpty.getRealm()); + var normalizedRoles = new RolesRepresentation(); + if (!clientRoles.isEmpty()) { + normalizedRoles.setClient(clientRoles); + } + if (!realmRoles.isEmpty()) { + normalizedRoles.setRealm(realmRoles); + } + + // avoid generating an empty roles element + if (normalizedRoles.getRealm() == null || (normalizedRoles.getRealm().isEmpty() && normalizedRoles.getClient().isEmpty())) { + return null; + } + + return normalizedRoles; + } + + public List normalizeRealmRoles(List exportedRoles, List baselineRoles) { + return normalizeRoleList(exportedRoles, baselineRoles, null); + } + + public Map> normalizeClientRoles(Map> exportedRoles, + Map> baselineRoles) { + var exportedOrEmpty = getNonNull(exportedRoles); + var baselineOrEmpty = getNonNull(baselineRoles); + + var normalizedRoles = new HashMap>(); + for (var entry : baselineOrEmpty.entrySet()) { + var clientId = entry.getKey(); + var baselineClientRoles = entry.getValue(); + var exportedClientRoles = exportedOrEmpty.remove(clientId); + exportedClientRoles = getNonNull(exportedClientRoles); + + var normalizedClientRoles = normalizeRoleList(exportedClientRoles, baselineClientRoles, clientId); + if (!normalizedClientRoles.isEmpty()) { + normalizedRoles.put(clientId, normalizedClientRoles); + } + } + + for (var entry : exportedOrEmpty.entrySet()) { + var clientId = entry.getKey(); + var roles = entry.getValue(); + + if (!roles.isEmpty()) { + normalizedRoles.put(clientId, normalizeList(roles)); + } + } + return normalizedRoles; + } + + public List normalizeRoleList(List exportedRoles, + List baselineRoles, String clientId) { + var exportedOrEmpty = getNonNull(exportedRoles); + var baselineOrEmpty = getNonNull(baselineRoles); + + var exportedMap = exportedOrEmpty.stream() + .collect(Collectors.toMap(RoleRepresentation::getName, Function.identity())); + var baselineMap = baselineOrEmpty.stream() + .collect(Collectors.toMap(RoleRepresentation::getName, Function.identity())); + var normalizedRoles = new ArrayList(); + for (var entry : baselineMap.entrySet()) { + var roleName = entry.getKey(); + var exportedRole = exportedMap.remove(roleName); + if (exportedRole == null) { + if (clientId == null) { + logger.warn("Default realm role '{}' was deleted in exported realm. It may be reintroduced during import!", roleName); + } else { + logger.warn("Default realm client-role '{}' for client '{}' was deleted in the exported realm. " + + "It may be reintroduced during import!", roleName, clientId); + } + continue; + } + + var baselineRole = entry.getValue(); + + var diff = unOrderedJavers.compare(baselineRole, exportedRole); + + if (diff.hasChanges() + || compositesChanged(exportedRole.getComposites(), baselineRole.getComposites()) + || attributeNormalizationService.listAttributesChanged(exportedRole.getAttributes(), baselineRole.getAttributes())) { + normalizedRoles.add(exportedRole); + } + } + normalizedRoles.addAll(exportedMap.values()); + return normalizeList(normalizedRoles); + } + + public List normalizeList(List roles) { + for (var role : roles) { + role.setId(null); + if (role.getAttributes() != null && role.getAttributes().isEmpty()) { + role.setAttributes(null); + } + } + return roles; + } + + public boolean compositesChanged(RoleRepresentation.Composites exportedComposites, RoleRepresentation.Composites baselineComposites) { + return unOrderedJavers.compare(baselineComposites, exportedComposites) + .hasChanges(); + } +} diff --git a/src/main/java/de/adorsys/keycloak/config/service/normalize/ScopeMappingNormalizationService.java b/src/main/java/de/adorsys/keycloak/config/service/normalize/ScopeMappingNormalizationService.java new file mode 100644 index 000000000..f713a2351 --- /dev/null +++ b/src/main/java/de/adorsys/keycloak/config/service/normalize/ScopeMappingNormalizationService.java @@ -0,0 +1,117 @@ +/*- + * ---license-start + * keycloak-config-cli + * --- + * Copyright (C) 2017 - 2022 adorsys GmbH & Co. KG @ https://adorsys.com + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package de.adorsys.keycloak.config.service.normalize; + +import org.javers.core.Javers; +import org.keycloak.representations.idm.RealmRepresentation; +import org.keycloak.representations.idm.ScopeMappingRepresentation; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.stereotype.Service; + +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import static de.adorsys.keycloak.config.service.normalize.RealmNormalizationService.getNonNull; + +@Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "NORMALIZE") +public class ScopeMappingNormalizationService { + + private static final Logger logger = LoggerFactory.getLogger(ScopeMappingNormalizationService.class); + + private final Javers javers; + + public ScopeMappingNormalizationService(Javers javers) { + this.javers = javers; + } + + public List normalizeScopeMappings(RealmRepresentation exportedRealm, RealmRepresentation baselineRealm) { + /* + * TODO: are the mappings in scopeMappings always clientScope/role? If not, this breaks + */ + // First handle the "default" scopeMappings present in the + var exportedMappingsMap = new HashMap(); + for (var exportedMapping : exportedRealm.getScopeMappings()) { + exportedMappingsMap.put(exportedMapping.getClientScope(), exportedMapping); + } + + var baselineMappingsMap = new HashMap(); + + var mappings = new ArrayList(); + for (var baselineRealmMapping : baselineRealm.getScopeMappings()) { + var clientScope = baselineRealmMapping.getClientScope(); + baselineMappingsMap.put(clientScope, baselineRealmMapping); + var exportedMapping = exportedMappingsMap.get(clientScope); + if (exportedMapping == null) { + logger.warn("Default realm scopeMapping '{}' was deleted in exported realm. It may be reintroduced during import!", clientScope); + continue; + } + // If the exported scopeMapping is different from the one that is present in the baseline realm, export it in the yml + if (scopeMappingChanged(exportedMapping, baselineRealmMapping)) { + mappings.add(exportedMapping); + } + } + + for (Map.Entry e : exportedMappingsMap.entrySet()) { + var clientScope = e.getKey(); + if (!baselineMappingsMap.containsKey(clientScope)) { + mappings.add(e.getValue()); + } + } + return mappings; + } + + public Map> normalizeClientScopeMappings(RealmRepresentation exportedRealm, + RealmRepresentation baselineRealm) { + var baselineOrEmpty = getNonNull(baselineRealm.getClientScopeMappings()); + var exportedOrEmpty = getNonNull(exportedRealm.getClientScopeMappings()); + + var mappings = new HashMap>(); + for (var e : baselineOrEmpty.entrySet()) { + var key = e.getKey(); + if (!exportedOrEmpty.containsKey(key)) { + logger.warn("Default realm clientScopeMapping '{}' was deleted in exported realm. It may be reintroduced during import!", key); + continue; + } + var scopeMappings = exportedOrEmpty.get(key); + if (javers.compareCollections(e.getValue(), scopeMappings, ScopeMappingRepresentation.class).hasChanges()) { + mappings.put(key, scopeMappings); + } + } + + for (var e : exportedOrEmpty.entrySet()) { + var key = e.getKey(); + if (!baselineOrEmpty.containsKey(key)) { + mappings.put(key, e.getValue()); + } + } + return mappings; + } + + public boolean scopeMappingChanged(ScopeMappingRepresentation exportedMapping, ScopeMappingRepresentation baselineRealmMapping) { + return javers.compare(baselineRealmMapping, exportedMapping).hasChanges(); + } + +} diff --git a/src/main/java/de/adorsys/keycloak/config/service/normalize/UserFederationNormalizationService.java b/src/main/java/de/adorsys/keycloak/config/service/normalize/UserFederationNormalizationService.java new file mode 100644 index 000000000..2821b7b39 --- /dev/null +++ b/src/main/java/de/adorsys/keycloak/config/service/normalize/UserFederationNormalizationService.java @@ -0,0 +1,154 @@ +/*- + * ---license-start + * keycloak-config-cli + * --- + * Copyright (C) 2017 - 2023 adorsys GmbH & Co. KG @ https://adorsys.com + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package de.adorsys.keycloak.config.service.normalize; + +import org.javers.core.Javers; +import org.keycloak.representations.idm.UserFederationMapperRepresentation; +import org.keycloak.representations.idm.UserFederationProviderRepresentation; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.stereotype.Service; + +import java.util.ArrayList; +import java.util.List; +import java.util.Objects; +import java.util.function.Function; +import java.util.stream.Collectors; + +import static de.adorsys.keycloak.config.service.normalize.RealmNormalizationService.getNonNull; + +@Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "NORMALIZE") +public class UserFederationNormalizationService { + + private static final Logger logger = LoggerFactory.getLogger(UserFederationNormalizationService.class); + + private final Javers unOrderedJavers; + + @Autowired + public UserFederationNormalizationService(Javers unOrderedJavers) { + this.unOrderedJavers = unOrderedJavers; + } + + public List normalizeProviders(List exportedProviders, + List baselineProviders) { + var exportedOrEmpty = getNonNull(exportedProviders); + var baselineOrEmpty = getNonNull(baselineProviders); + + var exportedMap = exportedOrEmpty.stream() + .collect(Collectors.toMap(UserFederationProviderRepresentation::getDisplayName, Function.identity())); + var baselineMap = baselineOrEmpty.stream() + .collect(Collectors.toMap(UserFederationProviderRepresentation::getDisplayName, Function.identity())); + + var normalizedProviders = new ArrayList(); + for (var entry : baselineMap.entrySet()) { + var displayName = entry.getKey(); + var exportedProvider = exportedMap.remove(displayName); + + if (exportedProvider == null) { + logger.warn("Default realm UserFederationProvider '{}' was deleted in exported realm. " + + "It may be reintroduced during import!", displayName); + continue; + } + + var baselineProvider = entry.getValue(); + if (unOrderedJavers.compare(baselineProvider, exportedProvider).hasChanges()) { + normalizedProviders.add(exportedProvider); + } + } + normalizedProviders.addAll(exportedMap.values()); + for (var provider : normalizedProviders) { + provider.setId(null); + if (provider.getConfig() != null && provider.getConfig().isEmpty()) { + provider.setConfig(null); + } + } + return normalizedProviders.isEmpty() ? null : normalizedProviders; + } + + public List normalizeMappers(List exportedMappers, + List baselineMappers) { + var exportedOrEmpty = getNonNull(exportedMappers); + var baselineOrEmpty = getNonNull(baselineMappers); + + var exportedMap = exportedOrEmpty.stream() + .collect(Collectors.toMap(m -> new MapperKey(m.getName(), m.getFederationProviderDisplayName()), Function.identity())); + var baselineMap = baselineOrEmpty.stream() + .collect(Collectors.toMap(m -> new MapperKey(m.getName(), m.getFederationProviderDisplayName()), Function.identity())); + + var normalizedMappers = new ArrayList(); + for (var entry : baselineMap.entrySet()) { + var key = entry.getKey(); + var exportedMapper = exportedMap.remove(key); + if (exportedMapper == null) { + logger.warn("Default realm UserFederationMapper '{}' for federation '{}' was deleted in exported realm. " + + "It may be reintroduced during import!", key.getName(), key.getFederationDisplayName()); + } + + var baselineMapper = entry.getValue(); + if (unOrderedJavers.compare(baselineMapper, exportedMapper).hasChanges()) { + normalizedMappers.add(exportedMapper); + } + } + normalizedMappers.addAll(exportedMap.values()); + for (var mapper : normalizedMappers) { + mapper.setId(null); + if (mapper.getConfig() != null && mapper.getConfig().isEmpty()) { + mapper.setConfig(null); + } + } + return normalizedMappers.isEmpty() ? null : normalizedMappers; + } + + private static class MapperKey { + private final String name; + private final String federationDisplayName; + + public MapperKey(String name, String federationDisplayName) { + this.name = name; + this.federationDisplayName = federationDisplayName; + } + + public String getName() { + return name; + } + + public String getFederationDisplayName() { + return federationDisplayName; + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + UserFederationNormalizationService.MapperKey mapperKey = (UserFederationNormalizationService.MapperKey) o; + return Objects.equals(name, mapperKey.name) && Objects.equals(federationDisplayName, mapperKey.federationDisplayName); + } + + @Override + public int hashCode() { + return Objects.hash(name, federationDisplayName); + } + } + +} diff --git a/src/main/java/de/adorsys/keycloak/config/service/rolecomposites/client/ClientCompositeImport.java b/src/main/java/de/adorsys/keycloak/config/service/rolecomposites/client/ClientCompositeImport.java index 742a51ba8..488b8b9a4 100644 --- a/src/main/java/de/adorsys/keycloak/config/service/rolecomposites/client/ClientCompositeImport.java +++ b/src/main/java/de/adorsys/keycloak/config/service/rolecomposites/client/ClientCompositeImport.java @@ -26,12 +26,14 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.*; import java.util.stream.Collectors; @Service("clientRoleClientCompositeImport") +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class ClientCompositeImport { private static final Logger logger = LoggerFactory.getLogger(ClientCompositeImport.class); diff --git a/src/main/java/de/adorsys/keycloak/config/service/rolecomposites/client/ClientRoleCompositeImportService.java b/src/main/java/de/adorsys/keycloak/config/service/rolecomposites/client/ClientRoleCompositeImportService.java index 2130abc0c..05b56fa43 100644 --- a/src/main/java/de/adorsys/keycloak/config/service/rolecomposites/client/ClientRoleCompositeImportService.java +++ b/src/main/java/de/adorsys/keycloak/config/service/rolecomposites/client/ClientRoleCompositeImportService.java @@ -22,6 +22,7 @@ import org.keycloak.representations.idm.RoleRepresentation; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.List; @@ -32,6 +33,7 @@ * Implements the update mechanism for role composites of client-level roles */ @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class ClientRoleCompositeImportService { private final RealmCompositeImport realmCompositeImport; diff --git a/src/main/java/de/adorsys/keycloak/config/service/rolecomposites/client/RealmCompositeImport.java b/src/main/java/de/adorsys/keycloak/config/service/rolecomposites/client/RealmCompositeImport.java index 1fe734179..126fd06eb 100644 --- a/src/main/java/de/adorsys/keycloak/config/service/rolecomposites/client/RealmCompositeImport.java +++ b/src/main/java/de/adorsys/keycloak/config/service/rolecomposites/client/RealmCompositeImport.java @@ -25,6 +25,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.Objects; @@ -32,6 +33,7 @@ import java.util.stream.Collectors; @Service("clientRoleRealmCompositeImport") +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class RealmCompositeImport { private static final Logger logger = LoggerFactory.getLogger(RealmCompositeImport.class); diff --git a/src/main/java/de/adorsys/keycloak/config/service/rolecomposites/realm/ClientCompositeImport.java b/src/main/java/de/adorsys/keycloak/config/service/rolecomposites/realm/ClientCompositeImport.java index ccfdf78c2..b469ec973 100644 --- a/src/main/java/de/adorsys/keycloak/config/service/rolecomposites/realm/ClientCompositeImport.java +++ b/src/main/java/de/adorsys/keycloak/config/service/rolecomposites/realm/ClientCompositeImport.java @@ -25,12 +25,14 @@ import org.keycloak.representations.idm.RoleRepresentation; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.*; import java.util.stream.Collectors; @Service("realmRoleClientCompositeImport") +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class ClientCompositeImport { private static final Logger logger = LoggerFactory.getLogger(ClientCompositeImport.class); diff --git a/src/main/java/de/adorsys/keycloak/config/service/rolecomposites/realm/RealmCompositeImport.java b/src/main/java/de/adorsys/keycloak/config/service/rolecomposites/realm/RealmCompositeImport.java index e7eb4f7ac..1cb9aa31d 100644 --- a/src/main/java/de/adorsys/keycloak/config/service/rolecomposites/realm/RealmCompositeImport.java +++ b/src/main/java/de/adorsys/keycloak/config/service/rolecomposites/realm/RealmCompositeImport.java @@ -25,6 +25,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.Objects; @@ -32,6 +33,7 @@ import java.util.stream.Collectors; @Service("realmRoleRealmCompositeImport") +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class RealmCompositeImport { private static final Logger logger = LoggerFactory.getLogger(RealmCompositeImport.class); diff --git a/src/main/java/de/adorsys/keycloak/config/service/rolecomposites/realm/RealmRoleCompositeImportService.java b/src/main/java/de/adorsys/keycloak/config/service/rolecomposites/realm/RealmRoleCompositeImportService.java index 5292af18c..b3d484e86 100644 --- a/src/main/java/de/adorsys/keycloak/config/service/rolecomposites/realm/RealmRoleCompositeImportService.java +++ b/src/main/java/de/adorsys/keycloak/config/service/rolecomposites/realm/RealmRoleCompositeImportService.java @@ -22,6 +22,7 @@ import org.keycloak.representations.idm.RoleRepresentation; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.List; @@ -31,6 +32,7 @@ * Implements the update mechanism for role composites of realm-level roles */ @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class RealmRoleCompositeImportService { private final RealmCompositeImport realmCompositeImport; diff --git a/src/main/java/de/adorsys/keycloak/config/service/state/StateService.java b/src/main/java/de/adorsys/keycloak/config/service/state/StateService.java index 7cecd6d78..8913c53a7 100644 --- a/src/main/java/de/adorsys/keycloak/config/service/state/StateService.java +++ b/src/main/java/de/adorsys/keycloak/config/service/state/StateService.java @@ -29,6 +29,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Service; import java.util.ArrayList; @@ -36,6 +37,7 @@ import java.util.Map; @Service +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class StateService { private static final Logger logger = LoggerFactory.getLogger(StateService.class); diff --git a/src/main/java/de/adorsys/keycloak/config/util/JaversUtil.java b/src/main/java/de/adorsys/keycloak/config/util/JaversUtil.java new file mode 100644 index 000000000..6ec32867c --- /dev/null +++ b/src/main/java/de/adorsys/keycloak/config/util/JaversUtil.java @@ -0,0 +1,42 @@ +/*- + * ---license-start + * keycloak-config-cli + * --- + * Copyright (C) 2017 - 2022 adorsys GmbH & Co. KG @ https://adorsys.com + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package de.adorsys.keycloak.config.util; + +import de.adorsys.keycloak.config.exception.NormalizationException; +import org.javers.core.diff.changetype.PropertyChange; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.stereotype.Component; + +@Component +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "NORMALIZE") +public class JaversUtil { + + public void applyChange(Object object, PropertyChange change) { + try { + var field = object.getClass().getDeclaredField(change.getPropertyName()); + field.setAccessible(true); + field.set(object, change.getRight()); + } catch (NoSuchFieldException | IllegalAccessException ex) { + throw new NormalizationException(String.format("Failed to set property %s on object of type %s", + change.getPropertyName(), object.getClass().getName()), ex); + } + } +} diff --git a/src/main/resources/application-normalize-dev.properties b/src/main/resources/application-normalize-dev.properties new file mode 100644 index 000000000..ada43bd0e --- /dev/null +++ b/src/main/resources/application-normalize-dev.properties @@ -0,0 +1,6 @@ +spring.output.ansi.enabled=ALWAYS +spring.config.import=classpath:application-debug.properties + +run.operation=NORMALIZE +normalization.files.input-locations=./exports/in/*.json +normalization.files.output-directory=./exports/out diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 25641213d..cae13948a 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -6,6 +6,8 @@ spring.main.lazy-initialization=true spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.availability.ApplicationAvailabilityAutoConfiguration keycloak.version=@keycloak.version@ +normalize.version=@keycloak.version@ + keycloak.login-realm=master keycloak.user=admin keycloak.client-secret= diff --git a/src/main/resources/baseline/19.0.3/client/client.json b/src/main/resources/baseline/19.0.3/client/client.json new file mode 100644 index 000000000..858b1115b --- /dev/null +++ b/src/main/resources/baseline/19.0.3/client/client.json @@ -0,0 +1,45 @@ +{ + "id": "caa6606a-6056-475c-af05-8b0365bb8164", + "clientId": "reference-client", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "q0t682YLCCk2qd5dntjtcniGozLXIZ7h", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "client.secret.creation.time": "1667920370" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ], + "access": { + "view": true, + "configure": true, + "manage": true + } +} diff --git a/src/main/resources/baseline/19.0.3/realm/realm.json b/src/main/resources/baseline/19.0.3/realm/realm.json new file mode 100644 index 000000000..bf14005cb --- /dev/null +++ b/src/main/resources/baseline/19.0.3/realm/realm.json @@ -0,0 +1,2176 @@ +{ + "id": "REALM_NAME_PLACEHOLDER", + "realm": "REALM_NAME_PLACEHOLDER", + "notBefore": 0, + "defaultSignatureAlgorithm": "RS256", + "revokeRefreshToken": false, + "refreshTokenMaxReuse": 0, + "accessTokenLifespan": 300, + "accessTokenLifespanForImplicitFlow": 900, + "ssoSessionIdleTimeout": 1800, + "ssoSessionMaxLifespan": 36000, + "ssoSessionIdleTimeoutRememberMe": 0, + "ssoSessionMaxLifespanRememberMe": 0, + "offlineSessionIdleTimeout": 2592000, + "offlineSessionMaxLifespanEnabled": false, + "offlineSessionMaxLifespan": 5184000, + "clientSessionIdleTimeout": 0, + "clientSessionMaxLifespan": 0, + "clientOfflineSessionIdleTimeout": 0, + "clientOfflineSessionMaxLifespan": 0, + "accessCodeLifespan": 60, + "accessCodeLifespanUserAction": 300, + "accessCodeLifespanLogin": 1800, + "actionTokenGeneratedByAdminLifespan": 43200, + "actionTokenGeneratedByUserLifespan": 300, + "oauth2DeviceCodeLifespan": 600, + "oauth2DevicePollingInterval": 5, + "enabled": true, + "sslRequired": "external", + "registrationAllowed": false, + "registrationEmailAsUsername": false, + "rememberMe": false, + "verifyEmail": false, + "loginWithEmailAllowed": true, + "duplicateEmailsAllowed": false, + "resetPasswordAllowed": false, + "editUsernameAllowed": false, + "bruteForceProtected": false, + "permanentLockout": false, + "maxFailureWaitSeconds": 900, + "minimumQuickLoginWaitSeconds": 60, + "waitIncrementSeconds": 60, + "quickLoginCheckMilliSeconds": 1000, + "maxDeltaTimeSeconds": 43200, + "failureFactor": 30, + "roles": { + "realm": [ + { + "id": "0825e37b-b5bb-413d-9c1c-23457f17cb66", + "name": "default-roles-REALM_NAME_PLACEHOLDER", + "description": "${role_default-roles}", + "composite": true, + "composites": { + "realm": [ + "offline_access", + "uma_authorization" + ], + "client": { + "account": [ + "manage-account", + "view-profile" + ] + } + }, + "clientRole": false, + "containerId": "REALM_NAME_PLACEHOLDER", + "attributes": {} + }, + { + "id": "08b30ae4-52ba-45a9-b723-07e6ac57ae2f", + "name": "offline_access", + "description": "${role_offline-access}", + "composite": false, + "clientRole": false, + "containerId": "REALM_NAME_PLACEHOLDER", + "attributes": {} + }, + { + "id": "372ddfc2-cd6e-4ca3-a30f-d39cb92ac12d", + "name": "uma_authorization", + "description": "${role_uma_authorization}", + "composite": false, + "clientRole": false, + "containerId": "REALM_NAME_PLACEHOLDER", + "attributes": {} + } + ], + "client": { + "realm-management": [ + { + "id": "caf6ae68-6a16-4dfa-9a71-1149ceb8f79c", + "name": "manage-identity-providers", + "description": "${role_manage-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "631f9fd2-7539-4190-8983-0e94614c5b73", + "attributes": {} + }, + { + "id": "913aeddb-8be9-4060-86c7-30cf0fa892ee", + "name": "manage-users", + "description": "${role_manage-users}", + "composite": false, + "clientRole": true, + "containerId": "631f9fd2-7539-4190-8983-0e94614c5b73", + "attributes": {} + }, + { + "id": "15ee649c-ef5f-4fe8-a6c1-67a9db14b0c5", + "name": "view-clients", + "description": "${role_view-clients}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-clients" + ] + } + }, + "clientRole": true, + "containerId": "631f9fd2-7539-4190-8983-0e94614c5b73", + "attributes": {} + }, + { + "id": "5d56f881-d3ff-49ad-929c-214afd641f8f", + "name": "query-clients", + "description": "${role_query-clients}", + "composite": false, + "clientRole": true, + "containerId": "631f9fd2-7539-4190-8983-0e94614c5b73", + "attributes": {} + }, + { + "id": "0ba58546-8487-4508-b81f-0735432accf2", + "name": "view-events", + "description": "${role_view-events}", + "composite": false, + "clientRole": true, + "containerId": "631f9fd2-7539-4190-8983-0e94614c5b73", + "attributes": {} + }, + { + "id": "f6f1b3c0-5d29-41b4-b2ec-cfab60e28a3b", + "name": "query-users", + "description": "${role_query-users}", + "composite": false, + "clientRole": true, + "containerId": "631f9fd2-7539-4190-8983-0e94614c5b73", + "attributes": {} + }, + { + "id": "2c6ddc11-206e-4e82-b894-9fca7cc85866", + "name": "view-realm", + "description": "${role_view-realm}", + "composite": false, + "clientRole": true, + "containerId": "631f9fd2-7539-4190-8983-0e94614c5b73", + "attributes": {} + }, + { + "id": "f9917916-7aca-413b-b7bc-452d3fca7a48", + "name": "manage-events", + "description": "${role_manage-events}", + "composite": false, + "clientRole": true, + "containerId": "631f9fd2-7539-4190-8983-0e94614c5b73", + "attributes": {} + }, + { + "id": "ad1d551b-3f03-445d-8ac0-51b1196413f0", + "name": "view-users", + "description": "${role_view-users}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-groups", + "query-users" + ] + } + }, + "clientRole": true, + "containerId": "631f9fd2-7539-4190-8983-0e94614c5b73", + "attributes": {} + }, + { + "id": "f645cca6-9d25-40f0-8ce9-d988a04d9bec", + "name": "create-client", + "description": "${role_create-client}", + "composite": false, + "clientRole": true, + "containerId": "631f9fd2-7539-4190-8983-0e94614c5b73", + "attributes": {} + }, + { + "id": "ce56402a-8925-4750-9269-6b035cfa334f", + "name": "impersonation", + "description": "${role_impersonation}", + "composite": false, + "clientRole": true, + "containerId": "631f9fd2-7539-4190-8983-0e94614c5b73", + "attributes": {} + }, + { + "id": "1e70f63f-0883-4452-bb1b-f179bf3c8c30", + "name": "manage-authorization", + "description": "${role_manage-authorization}", + "composite": false, + "clientRole": true, + "containerId": "631f9fd2-7539-4190-8983-0e94614c5b73", + "attributes": {} + }, + { + "id": "5cef1f90-8af8-4445-b6a3-05d6eb60c46c", + "name": "manage-realm", + "description": "${role_manage-realm}", + "composite": false, + "clientRole": true, + "containerId": "631f9fd2-7539-4190-8983-0e94614c5b73", + "attributes": {} + }, + { + "id": "e87e4aa8-8c15-44ba-9622-eec4eeae1997", + "name": "query-groups", + "description": "${role_query-groups}", + "composite": false, + "clientRole": true, + "containerId": "631f9fd2-7539-4190-8983-0e94614c5b73", + "attributes": {} + }, + { + "id": "baa31234-e4ed-4821-a696-6ccd686b5e1f", + "name": "view-identity-providers", + "description": "${role_view-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "631f9fd2-7539-4190-8983-0e94614c5b73", + "attributes": {} + }, + { + "id": "0d7127a0-cd7b-478c-9156-629fc321bca4", + "name": "query-realms", + "description": "${role_query-realms}", + "composite": false, + "clientRole": true, + "containerId": "631f9fd2-7539-4190-8983-0e94614c5b73", + "attributes": {} + }, + { + "id": "99d07b51-633c-4d25-9dc1-f779a219c246", + "name": "realm-admin", + "description": "${role_realm-admin}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "manage-users", + "manage-identity-providers", + "view-clients", + "query-clients", + "view-events", + "query-users", + "view-realm", + "manage-events", + "view-users", + "create-client", + "manage-authorization", + "impersonation", + "manage-realm", + "view-identity-providers", + "query-groups", + "query-realms", + "manage-clients", + "view-authorization" + ] + } + }, + "clientRole": true, + "containerId": "631f9fd2-7539-4190-8983-0e94614c5b73", + "attributes": {} + }, + { + "id": "118c289f-0b71-4edf-ac2a-7016cc0c674d", + "name": "manage-clients", + "description": "${role_manage-clients}", + "composite": false, + "clientRole": true, + "containerId": "631f9fd2-7539-4190-8983-0e94614c5b73", + "attributes": {} + }, + { + "id": "30f43104-6914-4e4f-9f6d-219daf2f7991", + "name": "view-authorization", + "description": "${role_view-authorization}", + "composite": false, + "clientRole": true, + "containerId": "631f9fd2-7539-4190-8983-0e94614c5b73", + "attributes": {} + } + ], + "security-admin-console": [], + "admin-cli": [], + "account-console": [], + "broker": [ + { + "id": "6045a69a-aec3-4a11-b4c3-3cae53f7a914", + "name": "read-token", + "description": "${role_read-token}", + "composite": false, + "clientRole": true, + "containerId": "6eed48a3-64bd-48ed-ac7c-607f8e724258", + "attributes": {} + } + ], + "account": [ + { + "id": "4e27eb76-06ea-4547-ab5d-de8f9c745597", + "name": "manage-consent", + "description": "${role_manage-consent}", + "composite": true, + "composites": { + "client": { + "account": [ + "view-consent" + ] + } + }, + "clientRole": true, + "containerId": "6c7757f2-9ed7-4609-8e41-f4316ca8d31e", + "attributes": {} + }, + { + "id": "60ae83a6-6ed1-4b4f-81cc-701b9a95ceb9", + "name": "delete-account", + "description": "${role_delete-account}", + "composite": false, + "clientRole": true, + "containerId": "6c7757f2-9ed7-4609-8e41-f4316ca8d31e", + "attributes": {} + }, + { + "id": "f5f244ba-53de-45d7-9774-d4c915cd4ccb", + "name": "manage-account", + "description": "${role_manage-account}", + "composite": true, + "composites": { + "client": { + "account": [ + "manage-account-links" + ] + } + }, + "clientRole": true, + "containerId": "6c7757f2-9ed7-4609-8e41-f4316ca8d31e", + "attributes": {} + }, + { + "id": "2abb2ef2-3e4c-43d5-9ab7-b096e19f3a56", + "name": "view-consent", + "description": "${role_view-consent}", + "composite": false, + "clientRole": true, + "containerId": "6c7757f2-9ed7-4609-8e41-f4316ca8d31e", + "attributes": {} + }, + { + "id": "8eb01f07-3771-4b28-ab78-6f216079b508", + "name": "view-profile", + "description": "${role_view-profile}", + "composite": false, + "clientRole": true, + "containerId": "6c7757f2-9ed7-4609-8e41-f4316ca8d31e", + "attributes": {} + }, + { + "id": "23954dae-8150-4183-8733-bce1349fb0ec", + "name": "manage-account-links", + "description": "${role_manage-account-links}", + "composite": false, + "clientRole": true, + "containerId": "6c7757f2-9ed7-4609-8e41-f4316ca8d31e", + "attributes": {} + }, + { + "id": "734d080d-1f67-48e9-942f-9233f6eca901", + "name": "view-applications", + "description": "${role_view-applications}", + "composite": false, + "clientRole": true, + "containerId": "6c7757f2-9ed7-4609-8e41-f4316ca8d31e", + "attributes": {} + } + ] + } + }, + "groups": [], + "defaultRole": { + "id": "0825e37b-b5bb-413d-9c1c-23457f17cb66", + "name": "default-roles-REALM_NAME_PLACEHOLDER", + "description": "${role_default-roles}", + "composite": true, + "clientRole": false, + "containerId": "REALM_NAME_PLACEHOLDER" + }, + "requiredCredentials": [ + "password" + ], + "otpPolicyType": "totp", + "otpPolicyAlgorithm": "HmacSHA1", + "otpPolicyInitialCounter": 0, + "otpPolicyDigits": 6, + "otpPolicyLookAheadWindow": 1, + "otpPolicyPeriod": 30, + "otpSupportedApplications": [ + "FreeOTP", + "Google Authenticator" + ], + "webAuthnPolicyRpEntityName": "keycloak", + "webAuthnPolicySignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyRpId": "", + "webAuthnPolicyAttestationConveyancePreference": "not specified", + "webAuthnPolicyAuthenticatorAttachment": "not specified", + "webAuthnPolicyRequireResidentKey": "not specified", + "webAuthnPolicyUserVerificationRequirement": "not specified", + "webAuthnPolicyCreateTimeout": 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyAcceptableAaguids": [], + "webAuthnPolicyPasswordlessRpEntityName": "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyPasswordlessRpId": "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", + "webAuthnPolicyPasswordlessCreateTimeout": 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyPasswordlessAcceptableAaguids": [], + "scopeMappings": [ + { + "clientScope": "offline_access", + "roles": [ + "offline_access" + ] + } + ], + "clientScopeMappings": { + "account": [ + { + "client": "account-console", + "roles": [ + "manage-account" + ] + } + ] + }, + "clients": [ + { + "id": "6c7757f2-9ed7-4609-8e41-f4316ca8d31e", + "clientId": "account", + "name": "${client_account}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/REALM_NAME_PLACEHOLDER/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/REALM_NAME_PLACEHOLDER/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "fe6ddaaf-3a90-4942-ae6a-1f170c87fc3b", + "clientId": "account-console", + "name": "${client_account-console}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/REALM_NAME_PLACEHOLDER/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/REALM_NAME_PLACEHOLDER/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+", + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "9f385a11-7b42-4f92-ac9b-7d286590a392", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "61ecc83e-d3f3-4b4f-a821-845094b3d9d4", + "clientId": "admin-cli", + "name": "${client_admin-cli}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "6eed48a3-64bd-48ed-ac7c-607f8e724258", + "clientId": "broker", + "name": "${client_broker}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "631f9fd2-7539-4190-8983-0e94614c5b73", + "clientId": "realm-management", + "name": "${client_realm-management}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "05f3367b-492b-40e1-ba0c-f000aa3ad0ef", + "clientId": "security-admin-console", + "name": "${client_security-admin-console}", + "rootUrl": "${authAdminUrl}", + "baseUrl": "/admin/REALM_NAME_PLACEHOLDER/console/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/admin/REALM_NAME_PLACEHOLDER/console/*" + ], + "webOrigins": [ + "+" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+", + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "9d1f5814-fa63-4c36-ae10-747d30f47c69", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + } + ], + "clientScopes": [ + { + "id": "23fc5623-9366-478f-9924-801d71f32489", + "name": "role_list", + "description": "SAML role list", + "protocol": "saml", + "attributes": { + "consent.screen.text": "${samlRoleListScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "31541a2f-1c88-43d9-96fe-9f9efbd096d4", + "name": "role list", + "protocol": "saml", + "protocolMapper": "saml-role-list-mapper", + "consentRequired": false, + "config": { + "single": "false", + "attribute.nameformat": "Basic", + "attribute.name": "Role" + } + } + ] + }, + { + "id": "1859a4f3-d051-4800-963f-45b624cccd57", + "name": "web-origins", + "description": "OpenID Connect scope for add allowed web origins to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "id": "a7777bff-a046-4fe3-a5a9-a520d79865ec", + "name": "allowed web origins", + "protocol": "openid-connect", + "protocolMapper": "oidc-allowed-origins-mapper", + "consentRequired": false, + "config": {} + } + ] + }, + { + "id": "7d011629-d7f1-45ad-a09b-b4decb3d47ed", + "name": "acr", + "description": "OpenID Connect scope for add acr (authentication context class reference) to the token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "22a74f8c-4493-4a1a-bf97-f51466e336b3", + "name": "acr loa level", + "protocol": "openid-connect", + "protocolMapper": "oidc-acr-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true" + } + } + ] + }, + { + "id": "7fb8529d-cb6f-4f31-b4c3-f6be6f74b47d", + "name": "phone", + "description": "OpenID Connect built-in scope: phone", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${phoneScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "5bd8bfba-d8a3-4792-aaec-5f0513397193", + "name": "phone number verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumberVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number_verified", + "jsonType.label": "boolean" + } + }, + { + "id": "89146d36-28d5-4750-933e-75014b203dcf", + "name": "phone number", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumber", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "01025c61-c655-463d-967d-a45e88368472", + "name": "roles", + "description": "OpenID Connect scope for add user roles to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "true", + "consent.screen.text": "${rolesScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "ad80bcc7-66d4-44c0-b34e-65822a57359a", + "name": "realm roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "realm_access.roles", + "jsonType.label": "String", + "multivalued": "true" + } + }, + { + "id": "73346462-e569-4679-a57d-fe623bdc5a95", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + }, + { + "id": "3842db0a-837f-4564-9e48-07c87f5d3258", + "name": "client roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "resource_access.${client_id}.roles", + "jsonType.label": "String", + "multivalued": "true" + } + } + ] + }, + { + "id": "f79aab58-4d4a-40ee-b879-a586ff956f12", + "name": "microprofile-jwt", + "description": "Microprofile - JWT built-in scope", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "ccb6bedc-b921-4c83-abe6-13de8c0e9795", + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "multivalued": "true", + "user.attribute": "foo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "jsonType.label": "String" + } + }, + { + "id": "19ae8192-0189-4644-a362-d08a0bce5680", + "name": "upn", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "upn", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "a0d6d0c2-afd3-4b29-a99f-ff3002866519", + "name": "offline_access", + "description": "OpenID Connect built-in scope: offline_access", + "protocol": "openid-connect", + "attributes": { + "consent.screen.text": "${offlineAccessScopeConsentText}", + "display.on.consent.screen": "true" + } + }, + { + "id": "1dcbfe97-e4ab-4df7-8517-4eaaa26ea410", + "name": "profile", + "description": "OpenID Connect built-in scope: profile", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${profileScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "8448e164-b72e-406e-b14b-ae5d1e72393a", + "name": "gender", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "gender", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "gender", + "jsonType.label": "String" + } + }, + { + "id": "c573ae92-f94a-494e-9403-f875d22d3e8d", + "name": "profile", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "profile", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "profile", + "jsonType.label": "String" + } + }, + { + "id": "09f992cc-2d64-4d4d-88ca-59a1b63325e9", + "name": "website", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "website", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "website", + "jsonType.label": "String" + } + }, + { + "id": "04658d90-dc3d-4865-ac52-6f16570fcd76", + "name": "full name", + "protocol": "openid-connect", + "protocolMapper": "oidc-full-name-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + }, + { + "id": "de199ca1-e720-419f-aeee-e112568f5cff", + "name": "family name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "lastName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "family_name", + "jsonType.label": "String" + } + }, + { + "id": "08daf912-8959-4ba5-9c38-ffcd395d6487", + "name": "given name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "firstName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "given_name", + "jsonType.label": "String" + } + }, + { + "id": "d76e56a2-6237-46d5-a56b-0ecd1f979e85", + "name": "username", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "preferred_username", + "jsonType.label": "String" + } + }, + { + "id": "6bc40007-ab16-48f6-ae81-a66a9062ad5c", + "name": "picture", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "picture", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "picture", + "jsonType.label": "String" + } + }, + { + "id": "0385dbe8-587c-49ab-a317-a15b5b52d456", + "name": "zoneinfo", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "zoneinfo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "zoneinfo", + "jsonType.label": "String" + } + }, + { + "id": "28946b3e-0eab-44a5-8eee-d42088072306", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + }, + { + "id": "e61c48dc-d083-4029-92d1-3c7a6f3d8bb9", + "name": "birthdate", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "birthdate", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "birthdate", + "jsonType.label": "String" + } + }, + { + "id": "62545d7c-ef2e-48a6-bff8-e2e9a2b16c3d", + "name": "middle name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "middleName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "middle_name", + "jsonType.label": "String" + } + }, + { + "id": "f1c75501-26b2-4d94-82aa-851e4fa3dd7c", + "name": "nickname", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "nickname", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "nickname", + "jsonType.label": "String" + } + }, + { + "id": "046a0b0d-5256-48fe-9b8f-b5193d87ebdd", + "name": "updated at", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "updatedAt", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "updated_at", + "jsonType.label": "long" + } + } + ] + }, + { + "id": "d807e61e-3661-44ff-a8cd-285458e6f763", + "name": "address", + "description": "OpenID Connect built-in scope: address", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${addressScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "fede614b-c46e-484c-8dba-9590cd0205fe", + "name": "address", + "protocol": "openid-connect", + "protocolMapper": "oidc-address-mapper", + "consentRequired": false, + "config": { + "user.attribute.formatted": "formatted", + "user.attribute.country": "country", + "user.attribute.postal_code": "postal_code", + "userinfo.token.claim": "true", + "user.attribute.street": "street", + "id.token.claim": "true", + "user.attribute.region": "region", + "access.token.claim": "true", + "user.attribute.locality": "locality" + } + } + ] + }, + { + "id": "c8a4b7a9-c8ba-412b-a17d-e90a3c6393fd", + "name": "email", + "description": "OpenID Connect built-in scope: email", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${emailScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "de4bafae-e88c-4c2f-9001-311f5c141633", + "name": "email", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "email", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email", + "jsonType.label": "String" + } + }, + { + "id": "9aa11aac-4178-435b-83b3-2d85508e34bd", + "name": "email verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "emailVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email_verified", + "jsonType.label": "boolean" + } + } + ] + } + ], + "defaultDefaultClientScopes": [ + "role_list", + "profile", + "email", + "roles", + "web-origins", + "acr" + ], + "defaultOptionalClientScopes": [ + "offline_access", + "address", + "phone", + "microprofile-jwt" + ], + "browserSecurityHeaders": { + "contentSecurityPolicyReportOnly": "", + "xContentTypeOptions": "nosniff", + "xRobotsTag": "none", + "xFrameOptions": "SAMEORIGIN", + "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "xXSSProtection": "1; mode=block", + "strictTransportSecurity": "max-age=31536000; includeSubDomains" + }, + "smtpServer": {}, + "eventsEnabled": false, + "eventsListeners": [ + "jboss-logging" + ], + "enabledEventTypes": [], + "adminEventsEnabled": false, + "adminEventsDetailsEnabled": false, + "identityProviders": [], + "identityProviderMappers": [], + "components": { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ + { + "id": "808ef7c4-b5d1-491c-ade0-559f38287e68", + "name": "Full Scope Disabled", + "providerId": "scope", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "2a0ad1a6-d6f9-43cb-8ec1-8913a23339d7", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "saml-role-list-mapper", + "oidc-full-name-mapper", + "oidc-usermodel-property-mapper", + "oidc-address-mapper", + "oidc-usermodel-attribute-mapper", + "saml-user-attribute-mapper", + "oidc-sha256-pairwise-sub-mapper", + "saml-user-property-mapper" + ] + } + }, + { + "id": "3695208c-32af-497b-9af9-5de878749899", + "name": "Consent Required", + "providerId": "consent-required", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "b7317013-6157-4099-a1ee-194df4808b2d", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "2464d485-980d-447a-94e2-34cf96aad1f1", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "6460fb5a-bbb9-400b-aba7-85cbe8666341", + "name": "Trusted Hosts", + "providerId": "trusted-hosts", + "subType": "anonymous", + "subComponents": {}, + "config": { + "host-sending-registration-request-must-match": [ + "true" + ], + "client-uris-must-match": [ + "true" + ] + } + }, + { + "id": "c2093410-4c63-4436-9294-535c492912dc", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "oidc-usermodel-property-mapper", + "oidc-sha256-pairwise-sub-mapper", + "saml-role-list-mapper", + "saml-user-property-mapper", + "oidc-address-mapper", + "saml-user-attribute-mapper", + "oidc-usermodel-attribute-mapper", + "oidc-full-name-mapper" + ] + } + }, + { + "id": "f9ef3de5-1ad1-4c9c-92bd-62a070e13ba2", + "name": "Max Clients Limit", + "providerId": "max-clients", + "subType": "anonymous", + "subComponents": {}, + "config": { + "max-clients": [ + "200" + ] + } + } + ], + "org.keycloak.keys.KeyProvider": [ + { + "id": "d75363d0-aed5-4fea-a97f-d0c1adb4fa63", + "name": "hmac-generated", + "providerId": "hmac-generated", + "subComponents": {}, + "config": { + "kid": [ + "ea50f128-6340-4f3e-8050-1e79ba559121" + ], + "secret": [ + "QYJipEnEXtsqk2OqtX1oyyQrANj03UWaGGf1p4yD28-x4MMOSxXVpEVTwZZvpgJeB-4L2lztTaJxVhANSO1lDQ" + ], + "priority": [ + "100" + ], + "algorithm": [ + "HS256" + ] + } + }, + { + "id": "594b0771-b860-4aa8-8a81-4b29ee5ac384", + "name": "rsa-generated", + "providerId": "rsa-generated", + "subComponents": {}, + "config": { + "privateKey": [ + "MIIEowIBAAKCAQEAsZSMHIVGaorVvBfVYzTAHzXO7/ilxcjty/hayFAB3C1CkEnKeYIs2hUv8s3DFrG26GBFRWI+HVX8yCCuwksDkF4kB6ZxpNV/NCwt4+Hv1Fr/A58eVHkriXajlOE9LUkvrSd04bGGD+SplAgCweQzVcHF5Iy4bvsIJ8ow5WKJ7dGtJlnU2ddBEdja2KhlFWBdqn2YCdvpuLGEYNGr5/ANBM6evcv/bU3tVdq64TPSC13kw/QicKzAU6H+4k8reIAgaEhtudqb6sWI9G0JiSPtb98psTZMFjoGb9yphOFsoSmljA3Ozp2wDVltV/zyk8Aw7J2I8EOCdjcX8BdkkQc6oQIDAQABAoIBABEdhJ2RGNbW97+vumDb6jJ34LCPUgbslULF9pX85BkBAbvfaNTqP4FrblokC8wJp9vgv3xu+hagvYLaZ42RZlAJSsaz+5sL+r0gDvI6Sf+5H4ANW4J/xTr0BNMqHFfbiG1Tcrf4ALhSbSe31/AxGuOGkBi1mWcU6dXP7oOFSk7x79FVmirB0bKGGwd2TNbrmtBSiDU33vUPxwGnDSsmw8TVHyjISiM0BfvVkS9RrBGqEnNm0iKccukRgengrqCK8D4fq65YPrQQQ9o9I50eU0qHoCiVJyNC2+MBpiOniShLO8jyiLAuhDKDfoKis5C6Hqm1yyf2PzwB1rIjV5XVf2ECgYEA6JiWMHHKfyR3QNvGjRp3Jfz/WQvLGXZCwVDowhlNRtfvGC56tEC+QAWxM/4l12u1NMyYSDeF44tYpzq0dGtVkTWTzQKNczTkGhValNMgFEUa8pwumBVVfrfLllA0VGrMW6fEAr8ta2gFODOWoViLSD0s0Jmu6CpdKSUzafcnMjkCgYEAw3LQ2sLgGL8LajjPl++LgWcKRZF3M80IFF2fE78I80zVow4x6Ei+EyrvObmJ5necXKkRA7o7h/7Xb+ATy2h0ZCdr/OXpmR/yGASfUdNXDrtQ0nYF6TNz1Xqadi9cGv7YKy8SOgbB0SM5S6aRy+ouoaUwNCSsWDleAgEOQvpzq6kCgYBrPv/xMmaWHTBHXY69PPi3MWJjooZxJRA+ppnL9XKmOaZq1fOJ7VhLmNRODt9P5r/UqomEsuUvN+8WnIDcNSltHPEbVBP4jOioBjSP7pEaB4sXVmA9i4iyNvjORAj864lysXY1dgTxQzM06MSJfJQsKNjjDhmRvwbZk+eS8nzGMQKBgAFjAipbMZ3bVShmyMpKL9I2OfNuacsbTFBgra1FMLoRNH7Yre/4/ChEqLffIiRZeumJZY6CNsPrQfoQO/O4hQLk6LY9p1+nw176QWsiNb7sA1HK9pXGAK9mFEx8X4ntfvknd1ikDaH/PvvTbbtlqPkKpAHqtLJXjdwzx7cf8cwpAoGBALxwuNYA7NBV8qRzTsLfSGoZEfl6jQogD3GR+EmFswIEYzdp8Mp+VwcpBjP5D28v9kFKa8dCe7TU9aY1JZm5W+N3ZqfhLp6TNepKVpRsyKsF4Pjz9fDZu1Q9AU81ImSO4w6FkLqQc069w7M5O/tT4/WjYbfqEp16UkP77Gh1F4O6" + ], + "keyUse": [ + "SIG" + ], + "certificate": [ + "MIIClzCCAX8CBgGEV1OLDTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARkZW1vMB4XDTIyMTEwODEyNTgyM1oXDTMyMTEwODEzMDAwM1owDzENMAsGA1UEAwwEZGVtbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALGUjByFRmqK1bwX1WM0wB81zu/4pcXI7cv4WshQAdwtQpBJynmCLNoVL/LNwxaxtuhgRUViPh1V/MggrsJLA5BeJAemcaTVfzQsLePh79Ra/wOfHlR5K4l2o5ThPS1JL60ndOGxhg/kqZQIAsHkM1XBxeSMuG77CCfKMOViie3RrSZZ1NnXQRHY2tioZRVgXap9mAnb6bixhGDRq+fwDQTOnr3L/21N7VXauuEz0gtd5MP0InCswFOh/uJPK3iAIGhIbbnam+rFiPRtCYkj7W/fKbE2TBY6Bm/cqYThbKEppYwNzs6dsA1ZbVf88pPAMOydiPBDgnY3F/AXZJEHOqECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAdo+c58iEquMpcBiMQ44lhSnroyrRwHazMxQ/8fHUUh2QxNwlGynGPfhMNyUtn06sPZqabV1ixTDfb6NbEpJK/HN3meWUNl4I4i5Zabew5DuUCh/BLRUbgOApsoRyHabDlR68inuXIPaP4M8lOfQsZO2/xNuGnr/eedKIR1WotXtmm2WJv79A9tJQkplizS78HoCa+HlyP1UAuAUDO0IZsJwY8CbKq1wgrhs9by8amdzZRBVILuDnuqEqeRxSY4o4BOvtM7TG5aA0iBVQc473NT1IvY10ojW6zs/ahqs0yG44+W2aBG35DvoDNVqP9Lw1vaTAD7OHdzQGhREz07cemA==" + ], + "priority": [ + "100" + ] + } + }, + { + "id": "da244786-6bf6-40c4-b7c3-094f883d969e", + "name": "aes-generated", + "providerId": "aes-generated", + "subComponents": {}, + "config": { + "kid": [ + "6ee413ed-3b74-458f-acb7-a89d5e05f0b9" + ], + "secret": [ + "sANwaoZOUoMcaPlAr5U1sQ" + ], + "priority": [ + "100" + ] + } + }, + { + "id": "1eeba879-03e8-4aad-b91a-0159cf513d73", + "name": "rsa-enc-generated", + "providerId": "rsa-enc-generated", + "subComponents": {}, + "config": { + "privateKey": [ + "MIIEowIBAAKCAQEA4FmIA8jfFAMVm8BuINWDWCn//Xzlk48yoUly1kP8RXriGOYfXrQQTqae0nhBBqlaJFBXAjI41UGJE9+4j23/aGp8vcTTUy9M4qBl9jlt9Pqz178/KaMDuBkeb3TV8PbR6PXrCSuWOuT3LJaXWEitpeMM/+dFSOxD4M1LWOwoQltSlmiZblcb5NsRal60sHvFUA5ecp35jW7Rj+xAQKR7QxgOr8rf83P9NPWYww4+lbKdbgnD2IMfdzZ9soSiHX4WtRrl1dPAqnihfEeaOoDXXTa1m49Q4xORnMVs6E15A+Zviu0xhR1385GT7sHLhZbSh+oLH4nx9jFinry+AgGlUwIDAQABAoIBABbvIBfe82r8y7sxxzBFE1myZXBY0bEtbMwPEZW0unex0aYg9Cj+uEIKB2dVkrQnIMdgjRx03Nl0CxrEfn3vDTJz3E+b7Mxuo+nw4qtygHqQHE1cSA0uFGW/75wOMgahfKDXbtDvqzpXCKt+s3b7awDvvnb0geEsAd5bri2napApy7qEg8iD04NhJhPj+nnoZ/jWTs3N++Dy/a0Y4/TsmIJXjtOY4JUcbYSJDBgFW0hikU/JKRMYXRZNCOzgDlUO+ejxKR2/HJjNK3ynf8Z5seROvVLI6sDTAA20b/PQLW4yEC7BtjWor8zag5tN6ZORdf4tZrsWLAiSAU2NPZepRx0CgYEA9duql4nPIs9Vf7GBZeVJd8Vl5z4WuAbaLgZ0TxaUwU83b9oaw1JmQgZ7gOCDgBkdECJk7iZAgdCCDKyFZyq+aeE8jn2uWXXrh/nMw2rXtAu3K464oyN2kWd4d7vinEsm7B5Vz1tiT20uuACS8AWi63pdBsx7yIsoq/yTantSMN0CgYEA6Zq7A++W2vwCWf0bzuwZ8ozObHafr3awgnEzlD2CXUW0mBC3ptxbo9+ug9SnZC7UMVNEqTVArd2mFZYEnDZGvGbsiN7Qnfw3foKdNpvxMP+CfuQw7vxmCa1JOd5nLz6zKBEPGjIuCy0+wB6ASpUQNxUQQkQoC7L8Qt5cysUSM+8CgYAiSM6iMSp8bTM8ClHEFtRG6nUKaSMb6IC2WFoRyVFXH6fYZi7DPBNcc7D3SNetnlLqNBGlEBqAv8XS5J/5wgEpnKooKKiOex4sKQ5/1b9csSGK5m0i+sgHAMnQ0JeKOgSkepp2vwSXlN8l85aJ+A8/DSI513wPfDBgw2j/OVE91QKBgCnanTNBVAf8Kvewj7DtQGDitYFdZ5LqcwmL+q/OrXLEsGymYiE1Tf34b64TBcK/WSlVP/IJJoOAOOeZL05FszrCPhLvyPTlYZP7FuvX2MjsnpbZj6Lh+e416+7AWEBwvWyqUchhwTojayDE1juGpZcY4Qbea0ZdVTEt4fY6hN5lAoGBAIjrfcjMELZqlLEECwjvTgPmYqTgyJKgVw/SrYBvPpNNqVeIwb62FK19BjXuoIjecXBX8jvefGNa6qTw/OjZLk7JNNbbOdJ1PFp8GkD+e0PPUoISSY0+rAq77geLLfZbcZUwoE0UqKwSYcz0w549aUVKc/5x3tHOxEb7UcWWS5DY" + ], + "keyUse": [ + "ENC" + ], + "certificate": [ + "MIIClzCCAX8CBgGEV1OMBzANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARkZW1vMB4XDTIyMTEwODEyNTgyM1oXDTMyMTEwODEzMDAwM1owDzENMAsGA1UEAwwEZGVtbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOBZiAPI3xQDFZvAbiDVg1gp//185ZOPMqFJctZD/EV64hjmH160EE6mntJ4QQapWiRQVwIyONVBiRPfuI9t/2hqfL3E01MvTOKgZfY5bfT6s9e/PymjA7gZHm901fD20ej16wkrljrk9yyWl1hIraXjDP/nRUjsQ+DNS1jsKEJbUpZomW5XG+TbEWpetLB7xVAOXnKd+Y1u0Y/sQECke0MYDq/K3/Nz/TT1mMMOPpWynW4Jw9iDH3c2fbKEoh1+FrUa5dXTwKp4oXxHmjqA1102tZuPUOMTkZzFbOhNeQPmb4rtMYUdd/ORk+7By4WW0ofqCx+J8fYxYp68vgIBpVMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAwPwABXVkSlRYqA9sMKJrw9piGH8tkwf6wQeAFhQsInbDzXLeuLt0A3gSuh5nL2zOGcxXddIK4IgUSqI+DlFlFsSkVqHFrQBAdIVRXsYFvGbARKhVuInHlpaOy6Y/VC6opL1BnqsmUOPEv7pk4Nhf/z7y5yZfTUaGiD+K1KA/mEf56NytOFJYsxiCZaAGX6BYIavRJp3YKPAcsNlJS//1G4meOlYcx5HiTA+qY/spc7vPeKuowSh3v26x4tgypLqoD0BAS5KrK4PEVaQM0IcBC3jrIY+7dGbE1Z374nm+1FDU7md48TJdI0c75r60cpBnHUH2bLJo2Z0ezrEojP6mvQ==" + ], + "priority": [ + "100" + ], + "algorithm": [ + "RSA-OAEP" + ] + } + } + ] + }, + "internationalizationEnabled": false, + "supportedLocales": [], + "authenticationFlows": [ + { + "id": "95570b1f-da9e-42a0-9532-aa9b690b04cb", + "alias": "Account verification options", + "description": "Method with which to verity the existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-email-verification", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Verify Existing Account by Re-authentication", + "userSetupAllowed": false + } + ] + }, + { + "id": "854f25b9-b37b-468a-b8ac-1e0da29133ba", + "alias": "Authentication Options", + "description": "Authentication options.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "basic-auth", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "basic-auth-otp", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "ebcd0954-f08f-4c69-970e-43569320bb07", + "alias": "Browser - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "cd4b03ca-1a0f-4a9b-8bd9-388e0459d7ac", + "alias": "Direct Grant - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "692bd371-d43a-440b-886b-2a0884dd5b9f", + "alias": "First broker login - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "dce38371-4f6b-45d1-94b0-5e91182c31fd", + "alias": "Handle Existing Account", + "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-confirm-link", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Account verification options", + "userSetupAllowed": false + } + ] + }, + { + "id": "357541a3-2499-42da-9ef0-db129f38f39b", + "alias": "Reset - Conditional OTP", + "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "9c37a124-af5e-44a2-b619-b3a88e1033c6", + "alias": "User creation or linking", + "description": "Flow for the existing/non-existing user alternatives", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "create unique user config", + "authenticator": "idp-create-user-if-unique", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Handle Existing Account", + "userSetupAllowed": false + } + ] + }, + { + "id": "94355d8f-b66f-405d-80e5-55ec030fb18c", + "alias": "Verify Existing Account by Re-authentication", + "description": "Reauthentication of existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "First broker login - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "8fcdac85-ec7e-4a3b-908a-4f00978d4724", + "alias": "browser", + "description": "browser based authentication", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-cookie", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "identity-provider-redirector", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 25, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "forms", + "userSetupAllowed": false + } + ] + }, + { + "id": "cd9ce79e-ba0b-4d58-8249-40f8b2139a56", + "alias": "clients", + "description": "Base authentication for clients", + "providerId": "client-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "client-secret", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-secret-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-x509", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 40, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "40f9ac10-edc0-46a6-b020-ba1785199911", + "alias": "direct grant", + "description": "OpenID Connect Resource Owner Grant", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "direct-grant-validate-username", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "Direct Grant - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "0ac19480-8675-4679-b222-64508c62bcdb", + "alias": "docker auth", + "description": "Used by Docker clients to authenticate against the IDP", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "docker-http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "9fd2aa99-79d7-435b-a852-5c18fad28546", + "alias": "first broker login", + "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "review profile config", + "authenticator": "idp-review-profile", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "User creation or linking", + "userSetupAllowed": false + } + ] + }, + { + "id": "da0a8a3d-9643-4746-b42d-2e8c915f76e7", + "alias": "forms", + "description": "Username, password, otp and other auth forms.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Browser - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "5eea7962-6fe5-4b69-8401-313afd0f6559", + "alias": "http challenge", + "description": "An authentication flow based on challenge-response HTTP Authentication Schemes", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "no-cookie-redirect", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Authentication Options", + "userSetupAllowed": false + } + ] + }, + { + "id": "f80d7c69-9314-4f4b-a61a-28a73e2d0879", + "alias": "registration", + "description": "registration flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-page-form", + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": true, + "flowAlias": "registration form", + "userSetupAllowed": false + } + ] + }, + { + "id": "deffbcd6-aa05-40e2-9bca-2ed50be54bd6", + "alias": "registration form", + "description": "registration form", + "providerId": "form-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-user-creation", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-profile-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 40, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-password-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 50, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-recaptcha-action", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 60, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "0b06e91d-77f8-4d8e-a55b-21caf478524a", + "alias": "reset credentials", + "description": "Reset credentials for a user if they forgot their password or something", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "reset-credentials-choose-user", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-credential-email", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 40, + "autheticatorFlow": true, + "flowAlias": "Reset - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "d51e394a-e9a8-495b-ac30-3adb1e66a369", + "alias": "saml ecp", + "description": "SAML ECP Profile Authentication Flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + } + ], + "authenticatorConfig": [ + { + "id": "3c1657ce-3153-4718-bbec-9d0c508eb8a8", + "alias": "create unique user config", + "config": { + "require.password.update.after.registration": "false" + } + }, + { + "id": "70a33e93-226e-492e-b119-f164e2cc457b", + "alias": "review profile config", + "config": { + "update.profile.on.first.login": "missing" + } + } + ], + "requiredActions": [ + { + "alias": "CONFIGURE_TOTP", + "name": "Configure OTP", + "providerId": "CONFIGURE_TOTP", + "enabled": true, + "defaultAction": false, + "priority": 10, + "config": {} + }, + { + "alias": "terms_and_conditions", + "name": "Terms and Conditions", + "providerId": "terms_and_conditions", + "enabled": false, + "defaultAction": false, + "priority": 20, + "config": {} + }, + { + "alias": "UPDATE_PASSWORD", + "name": "Update Password", + "providerId": "UPDATE_PASSWORD", + "enabled": true, + "defaultAction": false, + "priority": 30, + "config": {} + }, + { + "alias": "UPDATE_PROFILE", + "name": "Update Profile", + "providerId": "UPDATE_PROFILE", + "enabled": true, + "defaultAction": false, + "priority": 40, + "config": {} + }, + { + "alias": "VERIFY_EMAIL", + "name": "Verify Email", + "providerId": "VERIFY_EMAIL", + "enabled": true, + "defaultAction": false, + "priority": 50, + "config": {} + }, + { + "alias": "delete_account", + "name": "Delete Account", + "providerId": "delete_account", + "enabled": false, + "defaultAction": false, + "priority": 60, + "config": {} + }, + { + "alias": "webauthn-register", + "name": "Webauthn Register", + "providerId": "webauthn-register", + "enabled": true, + "defaultAction": false, + "priority": 70, + "config": {} + }, + { + "alias": "webauthn-register-passwordless", + "name": "Webauthn Register Passwordless", + "providerId": "webauthn-register-passwordless", + "enabled": true, + "defaultAction": false, + "priority": 80, + "config": {} + }, + { + "alias": "update_user_locale", + "name": "Update User Locale", + "providerId": "update_user_locale", + "enabled": true, + "defaultAction": false, + "priority": 1000, + "config": {} + } + ], + "browserFlow": "browser", + "registrationFlow": "registration", + "directGrantFlow": "direct grant", + "resetCredentialsFlow": "reset credentials", + "clientAuthenticationFlow": "clients", + "dockerAuthenticationFlow": "docker auth", + "attributes": { + "cibaBackchannelTokenDeliveryMode": "poll", + "cibaExpiresIn": "120", + "cibaAuthRequestedUserHint": "login_hint", + "oauth2DeviceCodeLifespan": "600", + "oauth2DevicePollingInterval": "5", + "parRequestUriLifespan": "60", + "cibaInterval": "5" + }, + "keycloakVersion": "19.0.3", + "userManagedAccessAllowed": false, + "clientProfiles": { + "profiles": [] + }, + "clientPolicies": { + "policies": [] + } +} diff --git a/src/main/resources/baseline/20.0.3/client/client.json b/src/main/resources/baseline/20.0.3/client/client.json new file mode 100644 index 000000000..d555d4f48 --- /dev/null +++ b/src/main/resources/baseline/20.0.3/client/client.json @@ -0,0 +1,45 @@ +{ + "id": "8a641514-bb92-4a5e-8ea4-27b90ef3e637", + "clientId": "reference-client", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "hzjJYnHVxMf3I3ugD4le0CgT1iI3rCx2", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "client.secret.creation.time": "1676457441" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ], + "access": { + "view": true, + "configure": true, + "manage": true + } +} diff --git a/src/main/resources/baseline/20.0.3/realm/realm.json b/src/main/resources/baseline/20.0.3/realm/realm.json new file mode 100644 index 000000000..ee28d9e47 --- /dev/null +++ b/src/main/resources/baseline/20.0.3/realm/realm.json @@ -0,0 +1,2188 @@ +{ + "id": "REALM_NAME_PLACEHOLDER", + "realm": "REALM_NAME_PLACEHOLDER", + "notBefore": 0, + "defaultSignatureAlgorithm": "RS256", + "revokeRefreshToken": false, + "refreshTokenMaxReuse": 0, + "accessTokenLifespan": 300, + "accessTokenLifespanForImplicitFlow": 900, + "ssoSessionIdleTimeout": 1800, + "ssoSessionMaxLifespan": 36000, + "ssoSessionIdleTimeoutRememberMe": 0, + "ssoSessionMaxLifespanRememberMe": 0, + "offlineSessionIdleTimeout": 2592000, + "offlineSessionMaxLifespanEnabled": false, + "offlineSessionMaxLifespan": 5184000, + "clientSessionIdleTimeout": 0, + "clientSessionMaxLifespan": 0, + "clientOfflineSessionIdleTimeout": 0, + "clientOfflineSessionMaxLifespan": 0, + "accessCodeLifespan": 60, + "accessCodeLifespanUserAction": 300, + "accessCodeLifespanLogin": 1800, + "actionTokenGeneratedByAdminLifespan": 43200, + "actionTokenGeneratedByUserLifespan": 300, + "oauth2DeviceCodeLifespan": 600, + "oauth2DevicePollingInterval": 5, + "enabled": true, + "sslRequired": "external", + "registrationAllowed": false, + "registrationEmailAsUsername": false, + "rememberMe": false, + "verifyEmail": false, + "loginWithEmailAllowed": true, + "duplicateEmailsAllowed": false, + "resetPasswordAllowed": false, + "editUsernameAllowed": false, + "bruteForceProtected": false, + "permanentLockout": false, + "maxFailureWaitSeconds": 900, + "minimumQuickLoginWaitSeconds": 60, + "waitIncrementSeconds": 60, + "quickLoginCheckMilliSeconds": 1000, + "maxDeltaTimeSeconds": 43200, + "failureFactor": 30, + "roles": { + "realm": [ + { + "id": "c1c757e3-1483-4a13-a650-57d13762063d", + "name": "offline_access", + "description": "${role_offline-access}", + "composite": false, + "clientRole": false, + "containerId": "a63b0d92-16b3-4110-8dd8-b25ed575035a", + "attributes": {} + }, + { + "id": "1df44d36-8c3e-47a9-8b37-28b31c9c5fd1", + "name": "uma_authorization", + "description": "${role_uma_authorization}", + "composite": false, + "clientRole": false, + "containerId": "a63b0d92-16b3-4110-8dd8-b25ed575035a", + "attributes": {} + }, + { + "id": "03ee0166-2480-429b-bc22-8f6fcd4f8126", + "name": "default-roles-REALM_NAME_PLACEHOLDER", + "description": "${role_default-roles}", + "composite": true, + "composites": { + "realm": [ + "offline_access", + "uma_authorization" + ], + "client": { + "account": [ + "view-profile", + "manage-account" + ] + } + }, + "clientRole": false, + "containerId": "a63b0d92-16b3-4110-8dd8-b25ed575035a", + "attributes": {} + } + ], + "client": { + "realm-management": [ + { + "id": "1305643f-47b2-471a-95b0-42f962443c0e", + "name": "view-authorization", + "description": "${role_view-authorization}", + "composite": false, + "clientRole": true, + "containerId": "61f1ed79-6efa-4109-9051-cd26de56f538", + "attributes": {} + }, + { + "id": "deb716da-2b9c-429d-a23a-21e3e40caf11", + "name": "view-realm", + "description": "${role_view-realm}", + "composite": false, + "clientRole": true, + "containerId": "61f1ed79-6efa-4109-9051-cd26de56f538", + "attributes": {} + }, + { + "id": "be59b49b-4a79-400f-a67b-0a17903155c9", + "name": "manage-realm", + "description": "${role_manage-realm}", + "composite": false, + "clientRole": true, + "containerId": "61f1ed79-6efa-4109-9051-cd26de56f538", + "attributes": {} + }, + { + "id": "9b2e7245-5859-49fd-a3b0-aeb215dc6e12", + "name": "view-users", + "description": "${role_view-users}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-groups", + "query-users" + ] + } + }, + "clientRole": true, + "containerId": "61f1ed79-6efa-4109-9051-cd26de56f538", + "attributes": {} + }, + { + "id": "7e010c9f-565b-450b-a222-0122ab71010d", + "name": "manage-clients", + "description": "${role_manage-clients}", + "composite": false, + "clientRole": true, + "containerId": "61f1ed79-6efa-4109-9051-cd26de56f538", + "attributes": {} + }, + { + "id": "92004b3a-9187-4f73-9169-319dbdec02bb", + "name": "query-groups", + "description": "${role_query-groups}", + "composite": false, + "clientRole": true, + "containerId": "61f1ed79-6efa-4109-9051-cd26de56f538", + "attributes": {} + }, + { + "id": "696b1e73-b5f0-4990-a00f-943a53ff4555", + "name": "manage-users", + "description": "${role_manage-users}", + "composite": false, + "clientRole": true, + "containerId": "61f1ed79-6efa-4109-9051-cd26de56f538", + "attributes": {} + }, + { + "id": "aae4db77-9a27-4cb7-b6f6-3f109f553502", + "name": "query-users", + "description": "${role_query-users}", + "composite": false, + "clientRole": true, + "containerId": "61f1ed79-6efa-4109-9051-cd26de56f538", + "attributes": {} + }, + { + "id": "e2fd690b-88be-4953-8bff-3225e40fdbd4", + "name": "view-events", + "description": "${role_view-events}", + "composite": false, + "clientRole": true, + "containerId": "61f1ed79-6efa-4109-9051-cd26de56f538", + "attributes": {} + }, + { + "id": "39b3b817-bea6-47f5-8b34-4fc32211e433", + "name": "manage-authorization", + "description": "${role_manage-authorization}", + "composite": false, + "clientRole": true, + "containerId": "61f1ed79-6efa-4109-9051-cd26de56f538", + "attributes": {} + }, + { + "id": "2615c6ce-7dc4-448b-940f-26905a99b25d", + "name": "manage-events", + "description": "${role_manage-events}", + "composite": false, + "clientRole": true, + "containerId": "61f1ed79-6efa-4109-9051-cd26de56f538", + "attributes": {} + }, + { + "id": "254a5871-81e9-4e96-b6a1-cf6c27d3ddb2", + "name": "query-realms", + "description": "${role_query-realms}", + "composite": false, + "clientRole": true, + "containerId": "61f1ed79-6efa-4109-9051-cd26de56f538", + "attributes": {} + }, + { + "id": "81582a5b-5be7-45be-9c0b-52582ede762a", + "name": "manage-identity-providers", + "description": "${role_manage-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "61f1ed79-6efa-4109-9051-cd26de56f538", + "attributes": {} + }, + { + "id": "322ce24f-42f5-40c6-a8bd-d31734ac9834", + "name": "impersonation", + "description": "${role_impersonation}", + "composite": false, + "clientRole": true, + "containerId": "61f1ed79-6efa-4109-9051-cd26de56f538", + "attributes": {} + }, + { + "id": "30e5d91d-ac17-4812-ba11-cba05e1add77", + "name": "realm-admin", + "description": "${role_realm-admin}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "view-authorization", + "view-realm", + "manage-realm", + "view-users", + "manage-clients", + "query-groups", + "manage-users", + "query-users", + "view-events", + "manage-authorization", + "query-realms", + "manage-events", + "manage-identity-providers", + "impersonation", + "view-clients", + "create-client", + "query-clients", + "view-identity-providers" + ] + } + }, + "clientRole": true, + "containerId": "61f1ed79-6efa-4109-9051-cd26de56f538", + "attributes": {} + }, + { + "id": "c21b3f56-ea00-4e69-905d-88fdb6e78dfa", + "name": "create-client", + "description": "${role_create-client}", + "composite": false, + "clientRole": true, + "containerId": "61f1ed79-6efa-4109-9051-cd26de56f538", + "attributes": {} + }, + { + "id": "93612d37-df0a-4898-9c9a-c01afb1249b8", + "name": "view-clients", + "description": "${role_view-clients}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-clients" + ] + } + }, + "clientRole": true, + "containerId": "61f1ed79-6efa-4109-9051-cd26de56f538", + "attributes": {} + }, + { + "id": "1e59ed3e-a91c-4ee3-8b29-a8da6c035549", + "name": "query-clients", + "description": "${role_query-clients}", + "composite": false, + "clientRole": true, + "containerId": "61f1ed79-6efa-4109-9051-cd26de56f538", + "attributes": {} + }, + { + "id": "15a8e4ef-f406-44e6-b4dc-21fdce6fd023", + "name": "view-identity-providers", + "description": "${role_view-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "61f1ed79-6efa-4109-9051-cd26de56f538", + "attributes": {} + } + ], + "security-admin-console": [], + "admin-cli": [], + "account-console": [], + "broker": [ + { + "id": "ed91f070-bce3-4b4c-a1bd-066bc96ff3e0", + "name": "read-token", + "description": "${role_read-token}", + "composite": false, + "clientRole": true, + "containerId": "db9b8810-7b16-47a9-8b9e-8de58449c206", + "attributes": {} + } + ], + "account": [ + { + "id": "f583ff69-51dc-4c6e-8a1d-addf142c3220", + "name": "delete-account", + "description": "${role_delete-account}", + "composite": false, + "clientRole": true, + "containerId": "28e61d0d-c4dc-4a91-8012-1a2f0325945c", + "attributes": {} + }, + { + "id": "9ac5bf5b-bb5d-4138-b397-04ea73622a60", + "name": "view-profile", + "description": "${role_view-profile}", + "composite": false, + "clientRole": true, + "containerId": "28e61d0d-c4dc-4a91-8012-1a2f0325945c", + "attributes": {} + }, + { + "id": "ab3ce8f1-ec74-4a35-b00a-259db0bc0878", + "name": "view-consent", + "description": "${role_view-consent}", + "composite": false, + "clientRole": true, + "containerId": "28e61d0d-c4dc-4a91-8012-1a2f0325945c", + "attributes": {} + }, + { + "id": "6907ab95-1c60-4f5b-912b-ee6d5c98346d", + "name": "manage-account", + "description": "${role_manage-account}", + "composite": true, + "composites": { + "client": { + "account": [ + "manage-account-links" + ] + } + }, + "clientRole": true, + "containerId": "28e61d0d-c4dc-4a91-8012-1a2f0325945c", + "attributes": {} + }, + { + "id": "073dfba9-b2b5-42de-a147-e0ac00b9cd76", + "name": "view-groups", + "description": "${role_view-groups}", + "composite": false, + "clientRole": true, + "containerId": "28e61d0d-c4dc-4a91-8012-1a2f0325945c", + "attributes": {} + }, + { + "id": "e9989640-ed85-40e5-86fc-51473fdafd4f", + "name": "view-applications", + "description": "${role_view-applications}", + "composite": false, + "clientRole": true, + "containerId": "28e61d0d-c4dc-4a91-8012-1a2f0325945c", + "attributes": {} + }, + { + "id": "d5b8032e-e9b2-44fb-8354-ac3e068fb6d3", + "name": "manage-account-links", + "description": "${role_manage-account-links}", + "composite": false, + "clientRole": true, + "containerId": "28e61d0d-c4dc-4a91-8012-1a2f0325945c", + "attributes": {} + }, + { + "id": "93560eab-3dd4-4ff4-b252-6f6c2103ff31", + "name": "manage-consent", + "description": "${role_manage-consent}", + "composite": true, + "composites": { + "client": { + "account": [ + "view-consent" + ] + } + }, + "clientRole": true, + "containerId": "28e61d0d-c4dc-4a91-8012-1a2f0325945c", + "attributes": {} + } + ] + } + }, + "groups": [], + "defaultRole": { + "id": "03ee0166-2480-429b-bc22-8f6fcd4f8126", + "name": "default-roles-REALM_NAME_PLACEHOLDER", + "description": "${role_default-roles}", + "composite": true, + "clientRole": false, + "containerId": "a63b0d92-16b3-4110-8dd8-b25ed575035a" + }, + "requiredCredentials": [ + "password" + ], + "otpPolicyType": "totp", + "otpPolicyAlgorithm": "HmacSHA1", + "otpPolicyInitialCounter": 0, + "otpPolicyDigits": 6, + "otpPolicyLookAheadWindow": 1, + "otpPolicyPeriod": 30, + "otpPolicyCodeReusable": false, + "otpSupportedApplications": [ + "totpAppGoogleName", + "totpAppFreeOTPName" + ], + "webAuthnPolicyRpEntityName": "keycloak", + "webAuthnPolicySignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyRpId": "", + "webAuthnPolicyAttestationConveyancePreference": "not specified", + "webAuthnPolicyAuthenticatorAttachment": "not specified", + "webAuthnPolicyRequireResidentKey": "not specified", + "webAuthnPolicyUserVerificationRequirement": "not specified", + "webAuthnPolicyCreateTimeout": 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyAcceptableAaguids": [], + "webAuthnPolicyPasswordlessRpEntityName": "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyPasswordlessRpId": "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", + "webAuthnPolicyPasswordlessCreateTimeout": 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyPasswordlessAcceptableAaguids": [], + "scopeMappings": [ + { + "clientScope": "offline_access", + "roles": [ + "offline_access" + ] + } + ], + "clientScopeMappings": { + "account": [ + { + "client": "account-console", + "roles": [ + "manage-account", + "view-groups" + ] + } + ] + }, + "clients": [ + { + "id": "28e61d0d-c4dc-4a91-8012-1a2f0325945c", + "clientId": "account", + "name": "${client_account}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/REALM_NAME_PLACEHOLDER/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/REALM_NAME_PLACEHOLDER/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "a1797864-8592-4d75-b2c0-af15ca029abd", + "clientId": "account-console", + "name": "${client_account-console}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/REALM_NAME_PLACEHOLDER/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/REALM_NAME_PLACEHOLDER/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+", + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "7e32f2c3-d9fb-40e0-a618-fb68c921f9d9", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "bb4d6126-c9c3-4c39-8016-805d04d55829", + "clientId": "admin-cli", + "name": "${client_admin-cli}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "db9b8810-7b16-47a9-8b9e-8de58449c206", + "clientId": "broker", + "name": "${client_broker}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "61f1ed79-6efa-4109-9051-cd26de56f538", + "clientId": "realm-management", + "name": "${client_realm-management}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "6c009e16-d012-43ac-9093-ce95786c2cb8", + "clientId": "security-admin-console", + "name": "${client_security-admin-console}", + "rootUrl": "${authAdminUrl}", + "baseUrl": "/admin/REALM_NAME_PLACEHOLDER/console/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/admin/REALM_NAME_PLACEHOLDER/console/*" + ], + "webOrigins": [ + "+" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+", + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "84f24df3-9b58-41fb-a05a-e591fc47e9d7", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + } + ], + "clientScopes": [ + { + "id": "aa08b21f-f33f-4079-be3d-1e925b44c935", + "name": "offline_access", + "description": "OpenID Connect built-in scope: offline_access", + "protocol": "openid-connect", + "attributes": { + "consent.screen.text": "${offlineAccessScopeConsentText}", + "display.on.consent.screen": "true" + } + }, + { + "id": "ab4f2643-cc27-463e-bfba-44712cffb45e", + "name": "acr", + "description": "OpenID Connect scope for add acr (authentication context class reference) to the token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "bcc3ec1d-d4bb-4171-82c3-e9b7f2de7371", + "name": "acr loa level", + "protocol": "openid-connect", + "protocolMapper": "oidc-acr-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true" + } + } + ] + }, + { + "id": "804093f4-8a08-4cca-a1a1-6008b7695e92", + "name": "web-origins", + "description": "OpenID Connect scope for add allowed web origins to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "id": "17a68f02-d8dc-4771-aeeb-d6e262e4fd07", + "name": "allowed web origins", + "protocol": "openid-connect", + "protocolMapper": "oidc-allowed-origins-mapper", + "consentRequired": false, + "config": {} + } + ] + }, + { + "id": "bb39a86e-661c-47ef-aa54-d3d2da043340", + "name": "phone", + "description": "OpenID Connect built-in scope: phone", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${phoneScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "17d26261-10f5-4f60-8cf5-c4106af3a3ee", + "name": "phone number", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumber", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number", + "jsonType.label": "String" + } + }, + { + "id": "4a18f46f-63ac-4577-89c1-caa895a05255", + "name": "phone number verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "phoneNumberVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number_verified", + "jsonType.label": "boolean" + } + } + ] + }, + { + "id": "c91c9396-3cca-48c7-93b8-e93567f56f7e", + "name": "profile", + "description": "OpenID Connect built-in scope: profile", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${profileScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "888660e1-577c-4249-9703-e86241b9e714", + "name": "birthdate", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "birthdate", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "birthdate", + "jsonType.label": "String" + } + }, + { + "id": "3ddfe32a-e127-4808-8f59-a7ba97345258", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + }, + { + "id": "ab023b96-89e4-41ed-b923-288bac047809", + "name": "middle name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "middleName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "middle_name", + "jsonType.label": "String" + } + }, + { + "id": "010b1c53-3403-476c-904f-81f51eaf297a", + "name": "username", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "preferred_username", + "jsonType.label": "String" + } + }, + { + "id": "558d8acf-56c5-4011-a366-f4370ebfaa4c", + "name": "zoneinfo", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "zoneinfo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "zoneinfo", + "jsonType.label": "String" + } + }, + { + "id": "5ca091f1-dd75-4f51-92cf-8fe52e1bd91a", + "name": "picture", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "picture", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "picture", + "jsonType.label": "String" + } + }, + { + "id": "c77ea1c7-af58-4fe4-8760-d5fc367a537d", + "name": "website", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "website", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "website", + "jsonType.label": "String" + } + }, + { + "id": "8aa68575-a903-46ae-adb7-43b4c5573f88", + "name": "nickname", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "nickname", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "nickname", + "jsonType.label": "String" + } + }, + { + "id": "319c76bc-93b5-4f78-b371-760f01143ffb", + "name": "profile", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "profile", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "profile", + "jsonType.label": "String" + } + }, + { + "id": "682141fe-c658-4a27-9c4f-d12cd6fd639d", + "name": "given name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "firstName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "given_name", + "jsonType.label": "String" + } + }, + { + "id": "31285f11-a0a0-4e95-a204-acda390961be", + "name": "gender", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "gender", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "gender", + "jsonType.label": "String" + } + }, + { + "id": "ee8c508a-f021-46c8-ba42-9f32b32aa504", + "name": "full name", + "protocol": "openid-connect", + "protocolMapper": "oidc-full-name-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + }, + { + "id": "6aad901c-f1c7-46d8-bfc2-ddd17b37e73d", + "name": "family name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "lastName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "family_name", + "jsonType.label": "String" + } + }, + { + "id": "72f7e384-849a-475f-ad2d-0ea19319edd3", + "name": "updated at", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "updatedAt", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "updated_at", + "jsonType.label": "long" + } + } + ] + }, + { + "id": "204b6707-5432-43d6-928f-ed17669edc8e", + "name": "email", + "description": "OpenID Connect built-in scope: email", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${emailScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "6ffca153-999d-45dc-a98c-37ad1f79b04e", + "name": "email", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "email", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email", + "jsonType.label": "String" + } + }, + { + "id": "c8e75ea4-0006-4f7c-882c-8f1499bf14ca", + "name": "email verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "emailVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email_verified", + "jsonType.label": "boolean" + } + } + ] + }, + { + "id": "24c8b752-95fa-4b11-9c99-1da3d7028783", + "name": "address", + "description": "OpenID Connect built-in scope: address", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${addressScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "07b45364-f53c-453f-9d6f-1122586e8633", + "name": "address", + "protocol": "openid-connect", + "protocolMapper": "oidc-address-mapper", + "consentRequired": false, + "config": { + "user.attribute.formatted": "formatted", + "user.attribute.country": "country", + "user.attribute.postal_code": "postal_code", + "userinfo.token.claim": "true", + "user.attribute.street": "street", + "id.token.claim": "true", + "user.attribute.region": "region", + "access.token.claim": "true", + "user.attribute.locality": "locality" + } + } + ] + }, + { + "id": "e0c34249-b2e2-49cf-b414-9aac15acd82b", + "name": "microprofile-jwt", + "description": "Microprofile - JWT built-in scope", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "fcf43c71-170f-4c04-90b5-d6aefb16c7a5", + "name": "upn", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "upn", + "jsonType.label": "String" + } + }, + { + "id": "88097d77-681a-4b3a-a025-92fae6182a15", + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "multivalued": "true", + "user.attribute": "foo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "ac7c6a5d-9d21-4712-889f-951ba412ced0", + "name": "role_list", + "description": "SAML role list", + "protocol": "saml", + "attributes": { + "consent.screen.text": "${samlRoleListScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "9f08ee07-98a9-496d-b90c-897b38bd2dd3", + "name": "role list", + "protocol": "saml", + "protocolMapper": "saml-role-list-mapper", + "consentRequired": false, + "config": { + "single": "false", + "attribute.nameformat": "Basic", + "attribute.name": "Role" + } + } + ] + }, + { + "id": "6ba80bef-0a4f-4be1-9e34-89f1a9c8c976", + "name": "roles", + "description": "OpenID Connect scope for add user roles to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "true", + "consent.screen.text": "${rolesScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "9e774de8-10f9-4c1f-b70e-242f07532cf7", + "name": "realm roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "realm_access.roles", + "jsonType.label": "String", + "multivalued": "true" + } + }, + { + "id": "2086dce7-3707-4101-9174-7ca97082d228", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + }, + { + "id": "7da3ae82-c74d-456e-a1f4-23f5d2ad6919", + "name": "client roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "resource_access.${client_id}.roles", + "jsonType.label": "String", + "multivalued": "true" + } + } + ] + } + ], + "defaultDefaultClientScopes": [ + "role_list", + "profile", + "email", + "roles", + "web-origins", + "acr" + ], + "defaultOptionalClientScopes": [ + "offline_access", + "address", + "phone", + "microprofile-jwt" + ], + "browserSecurityHeaders": { + "contentSecurityPolicyReportOnly": "", + "xContentTypeOptions": "nosniff", + "xRobotsTag": "none", + "xFrameOptions": "SAMEORIGIN", + "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "xXSSProtection": "1; mode=block", + "strictTransportSecurity": "max-age=31536000; includeSubDomains" + }, + "smtpServer": {}, + "eventsEnabled": false, + "eventsListeners": [ + "jboss-logging" + ], + "enabledEventTypes": [], + "adminEventsEnabled": false, + "adminEventsDetailsEnabled": false, + "identityProviders": [], + "identityProviderMappers": [], + "components": { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ + { + "id": "fc6af199-36bb-4721-8805-65b15ac23677", + "name": "Full Scope Disabled", + "providerId": "scope", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "4eca2c9d-3fd9-4798-a96f-66ab020f0999", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "a6493944-7b42-47c9-8161-15bcce5e1dea", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "saml-user-attribute-mapper", + "oidc-full-name-mapper", + "saml-user-property-mapper", + "oidc-sha256-pairwise-sub-mapper", + "oidc-usermodel-property-mapper", + "oidc-usermodel-attribute-mapper", + "oidc-address-mapper", + "saml-role-list-mapper" + ] + } + }, + { + "id": "20f18ede-0082-4211-8193-97b3faf58832", + "name": "Trusted Hosts", + "providerId": "trusted-hosts", + "subType": "anonymous", + "subComponents": {}, + "config": { + "host-sending-registration-request-must-match": [ + "true" + ], + "client-uris-must-match": [ + "true" + ] + } + }, + { + "id": "59fd957f-035a-4381-ba69-b07befc54769", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "saml-user-attribute-mapper", + "oidc-usermodel-attribute-mapper", + "oidc-full-name-mapper", + "oidc-sha256-pairwise-sub-mapper", + "oidc-address-mapper", + "saml-role-list-mapper", + "saml-user-property-mapper", + "oidc-usermodel-property-mapper" + ] + } + }, + { + "id": "b5cf58aa-ebfe-4da0-adcf-ad3faee18502", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "acec3143-8444-4d8f-9020-5fdd1992bfa8", + "name": "Consent Required", + "providerId": "consent-required", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "6555ff94-661a-4659-9cde-0eb2147892ea", + "name": "Max Clients Limit", + "providerId": "max-clients", + "subType": "anonymous", + "subComponents": {}, + "config": { + "max-clients": [ + "200" + ] + } + } + ], + "org.keycloak.keys.KeyProvider": [ + { + "id": "f957405f-8f50-432a-8ade-8805d27e8b04", + "name": "rsa-generated", + "providerId": "rsa-generated", + "subComponents": {}, + "config": { + "privateKey": [ + "MIIEpAIBAAKCAQEA68PJqiC6cMTIaFvxsnhkyHXiOuwMxa3Udvu3lYJggl+3hMK9Pn1x7ojApUEch53qCIDLJADmr93aofdylZlLLdK/8vDViq8XWnodDfVDi6FttLhGhWiO7e37KswQ2wbosbQFbWIdU8brbsH1sm7snkwGTUuTXt3RDmWOlamomlbeumxNo9SaG+SSMdqwzB1KAu6IQwARvbA8LvzfMhlc6jh16o7CO1QTNFlbZ/8RDmu0T/pOF9TUccsw0hPiFbGzVy7+lANEVFXY9Un0sZTtb3xhJ6l9zsn07ZZEZ6D4COY0yGROWD5bvNUusZvDuzkg75myEHNDb4iZY0+DaiVRwQIDAQABAoIBABaWcUWOPCkzWTtSWm4tsFjaSRyPDUw1HW7G1VhgH4HuIgV4qNaKAIveEzg3QZX7+vY/QfccP6hoGhsRZit5/noQlRj1ROg0DTSQZXnhs8vMDALX8tMI6O9XsQwbyp5JY6rUI1RO+vNR/Vq6VMv4ak1iMupd4WvMgaEeTrz8/lfG6BxBcCGx8Wpvxsd9VvcAyPqXwI2C5y0JSnOJIHRxvLr2NmQeFdFppcVlucQV1SCzxnbMRcI5i0RKuOo/9yJJForwFJcFzkAxWgeUnJglNw/C/20s0aKwM+z+mBAFK/uZPjvEVcbTXj3KM1iuWs5l6FW03YyI5xO5EC2fRUmUKWcCgYEA+Yx2t6GSQ6YJ/v4DhaZv2rzEtn5G9Nk4J98w2GiQAjW4SBRp+vaWrmWhvkvrpX6lp741k9jK6CViayEE05orEHmVjHM885AiddQc88zxtCpGijMR1FuVdklswd0LnyB/PLWgr3f7Z1qAYyFCbxnpcg76jpQCpo36h40KEOO80BcCgYEA8dwZ1/Vwq6UDJBvM9QBvjOnW7Jeoico2m2Hsd74v9G1si+yywyvIMphVnlqoHsXqdxi79ZHJXiyfB/zmQWO9dEhcxq2OubaemDzeJLwXRcLW+Cg4VNIirDdZEWo/nhD7P+00IP/y8Z5neguWYVc01sLkCGB46z8Q/8R59xuZ++cCgYEA0/F9framD/h8MuqwORnDlEaQ1+HmB9xZOlvwE0yzSn0vl2BnJnO6REIjHglDCVrH/PCqdnhA1OuzbAMuIz2j56kr346cLMy0x9gwAsyEWB0zrfpz4SUrirwPt5MyZKLoDbrAz2aaygvuUMMVtmCOiYW5PdDtc2HQbsHV08RoP18CgYB09fi1fCcxioobUypprP1FCux529mQUO7Zc6CUQ7ATJzuf6yaDxc950DtPag31W8bIM3jqB8d2uGNrzHxZUO+UpU3gcpwb6VmGy6Ct6RvkC5ZDycd8FWbZG6cCCfyb5yBpyL812jDVccIevi3KAw81cGgwON8g/I2u8of83Sc5LwKBgQCtVDV1OHE24Y2DxRAakZ5fMp3NYIE8Y+5XrhwHdWRa72AaAz7DrU12b7yZJH5y/upV4Gv12Ia1o1pAx9mXSnVb0WSHp1A8UNtCVlivtnr66BGb5X5ucw53Wz+ciL3KgoHm5pU7Q/6UxttWyikvF2uBp6xMBWOcv3b1f6erxcw2aQ==" + ], + "keyUse": [ + "SIG" + ], + "certificate": [ + "MIICoTCCAYkCBgGGVKQ/mjANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlkZW1vcmVhbG0wHhcNMjMwMjE1MTAzMzE1WhcNMzMwMjE1MTAzNDU1WjAUMRIwEAYDVQQDDAlkZW1vcmVhbG0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrw8mqILpwxMhoW/GyeGTIdeI67AzFrdR2+7eVgmCCX7eEwr0+fXHuiMClQRyHneoIgMskAOav3dqh93KVmUst0r/y8NWKrxdaeh0N9UOLoW20uEaFaI7t7fsqzBDbBuixtAVtYh1TxutuwfWybuyeTAZNS5Ne3dEOZY6VqaiaVt66bE2j1Job5JIx2rDMHUoC7ohDABG9sDwu/N8yGVzqOHXqjsI7VBM0WVtn/xEOa7RP+k4X1NRxyzDSE+IVsbNXLv6UA0RUVdj1SfSxlO1vfGEnqX3OyfTtlkRnoPgI5jTIZE5YPlu81S6xm8O7OSDvmbIQc0NviJljT4NqJVHBAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAHTSxIteVa2a1V4pqCHweJTRxoXOGE6048ZtEzOsO/5xElynszVZ1iMXlRq8uNTlc80Icx4hw17attP7KCColFIwZ0HCq1IfLQEquoHBaLDhIhVQ7ehCTkto/u8nLgfZL+NDkO+nT+i5eNctMQG74x6hTV3Urc5z4MnBtJNqtPvR+Lw0pbtH07f+K345Z06nxES0Hnb6TLsw8BuTTKPfSqVIAbsi4n3pUgULdeVRd0iYaSQdmwRaFEntWzUJlM4GjvaIPkaMS1CwjEBuutLzskVSiFlQ26W8KwXn7ySIBlec4ox3VD+Q7YynR64bB6Hs1MmFFuooTjn4c02uytLmK2o=" + ], + "priority": [ + "100" + ] + } + }, + { + "id": "d0d08daf-ba76-4e82-8183-37aa8f9a6af1", + "name": "rsa-enc-generated", + "providerId": "rsa-enc-generated", + "subComponents": {}, + "config": { + "privateKey": [ + "MIIEpAIBAAKCAQEA6wG/F8mo6eXBXSuShH9D2ybnMNUfh9dbRJ+Bporl/XNOSxBKaiyo+2W1VIdrjsedwmQuQoFjs2f229qzBS9Fl4ChLxlIjJEW1U+bPilRZUDlSM3q2HE6O4acP+nSIG8ZW9/KhXPgcanM+MixkM9cHzO7bqGKKcnCKD5Y8ia2Vc1PXPNguxmDwuj9XSlpdDOzRZiMUZzcqxzxWgyfUTD839NN16AM6tN4CBIuK779Zwah0ym4wLiVdX2UCJNVzVzuo16YoXYOlXC+skiWG+M4pjj3/IKkLQvzpO9Zh1x6NNMsstGQhPSRUq4KX4fquQVDwxDvIzsIWn2pcTmkOsdWSwIDAQABAoIBADCrTWx7PoimJOwLPI5FHwPxZBrIYH3M+2FUWVDo3iWlrha8mnSvqBVcZHfLjdple8YI4k2ypze99bFlcwLFXfe402jCJzS5TY3CrUdr3igGjxWLU7IcjO9L+ur/nR1LdOiCidome9p+TG1Pfvqa/xyVJaGNQeRSnOuhseEAZG2TMEidK0nWI1NQdm5Q6hsNI2UcPbq3+0ouHz2xBYGoKln76Ibqk5yfNty60jtxeQwg1P0I5PjiyLIiOQUKzaGEX6NENr/WI0qXLr5460ioCqI3Urrgml+lDij/Tg5BXs/Dd1awbup3/vUId/gd7Hy99tXDOK0iXyjZThfgBhsBiYUCgYEA/5zJhrn3g3YyFhPljP4xQBP3k4f/sPBihNwshsa/P8DBIFvxBE3jL+u8QZ/d1PU935gq4183HT8Nk7DFoQ0pntdLyJxfZ5oF07d0qYoHY++R5OIqX2VK2AXBGbwuCUct/XXjEUn83MSBgg1GGbY6qyty1UwBqQhN+qqiOxcUfS0CgYEA61z2IBNOs0T+ns4SsLZERM7uu2mV0IokaLQ60Rbk+7+sV+Mx0eapp4rXuxE33YFRrsvHonyfvbNZtqBnyw7fU8PQm5ozl9T1jeUAdgqm8l5cqpYswASL/NkWLkK3+D+ynLLjKygDZqMj3ZMO8c7nYw799QQaw4T9pzpJZjJLfFcCgYEArOk11kKEsdRJy2+IMBlf3ZXkO1ObXukt6+w43q8hfpH40tf/MUcy8R7JiacIW9/ODCwWjxrA4LLfj1HcTrblucKwTDOjwiSJ3o9ShsGNgEf2bFumCEQwHfO+jZcjmTkiXjvZ778aI4l2hjBOhGQmSdYpZyp0URECFxhIiCpzvL0CgYAYrtodCQlS4aR2URRCtgq40J7Wxr7wbNxeorAcZ3NCN5rCaNA7vB4EtRnkw2yBbWN8mmBoWPuDsIBzF6Vq9TdUmI+TEfvhK3NJG0AOIRXbCyxas38j8BYiQT4DQfn7Ler0ZgpO51Zb+DX1sct6boFzsQnPHUwVPyg+1m0GK7Yg5wKBgQDCIYvL6JhJidgP9ve3U0d0NUDAndRE5fuGqMcKvBiiRAE2D8RxHIWDre/NzrSLAst4UzmuPLG1LB1mIIfUHoPlHX5yEHbBRWtKeJUZ8tEU2z6uNZxP+ntf/K8fdkBS0jbowfG2G/nqqlyJuIrQduNvtT6aoZK0UjRtZ7iAdMjs5Q==" + ], + "keyUse": [ + "ENC" + ], + "certificate": [ + "MIICoTCCAYkCBgGGVKRAEDANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlkZW1vcmVhbG0wHhcNMjMwMjE1MTAzMzE1WhcNMzMwMjE1MTAzNDU1WjAUMRIwEAYDVQQDDAlkZW1vcmVhbG0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrAb8Xyajp5cFdK5KEf0PbJucw1R+H11tEn4GmiuX9c05LEEpqLKj7ZbVUh2uOx53CZC5CgWOzZ/bb2rMFL0WXgKEvGUiMkRbVT5s+KVFlQOVIzerYcTo7hpw/6dIgbxlb38qFc+Bxqcz4yLGQz1wfM7tuoYopycIoPljyJrZVzU9c82C7GYPC6P1dKWl0M7NFmIxRnNyrHPFaDJ9RMPzf003XoAzq03gIEi4rvv1nBqHTKbjAuJV1fZQIk1XNXO6jXpihdg6VcL6ySJYb4zimOPf8gqQtC/Ok71mHXHo00yyy0ZCE9JFSrgpfh+q5BUPDEO8jOwhafalxOaQ6x1ZLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEkOE5zWi8x3NfPWsdZkLckRw9vQFDYhQuaRZfD1i3lKvYW9xERFjOICuSHUX9yxX/CpGWVDAomXXXYxvlPpkENO/GjUGcL5UH6AopPkOzUZwsVWEylR6nczlK9sXjfjqgDOFwV19q5bn6hiV6qLG4Ty747lCATaxCUDPwJvZE8ZLFTHrccFtAH8VXCZbJJMLXO42LgMeG5nF4Tf1K0iI+4sSDWshl+QNugmaRQSrG0IklH4+U9J9JTwAiibkspgVsc2ubhbA+Xvzndg0vIQ2cEVWLqK9tRAIuaoANTmJneBZdBoVL5gtY3jCyXj6ecrKr+4JzeXCwmrxQUk9061eDU=" + ], + "priority": [ + "100" + ], + "algorithm": [ + "RSA-OAEP" + ] + } + }, + { + "id": "0d0237f6-29a9-4e1d-8de0-0490ab1c9118", + "name": "hmac-generated", + "providerId": "hmac-generated", + "subComponents": {}, + "config": { + "kid": [ + "1523f166-af8b-4970-94ff-eabb0f391532" + ], + "secret": [ + "ByJpObMtnXpqZwygKnj_cgP-SkhVJPH_D-vgOS8yRSH9Km9idi4Ryh5w__zKGk4OeIJWQWRSz5VG_6kzINchKw" + ], + "priority": [ + "100" + ], + "algorithm": [ + "HS256" + ] + } + }, + { + "id": "53a26567-105e-4b11-bbd1-1516fe76104a", + "name": "aes-generated", + "providerId": "aes-generated", + "subComponents": {}, + "config": { + "kid": [ + "8d1e845c-f3bc-4b6c-86c5-acbc49442386" + ], + "secret": [ + "EWEleDkIM15zP8tyIr6nHw" + ], + "priority": [ + "100" + ] + } + } + ] + }, + "internationalizationEnabled": false, + "supportedLocales": [], + "authenticationFlows": [ + { + "id": "c3820085-85d3-4ff8-bd42-15464fa668b6", + "alias": "Account verification options", + "description": "Method with which to verity the existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-email-verification", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Verify Existing Account by Re-authentication", + "userSetupAllowed": false + } + ] + }, + { + "id": "815709b3-7421-44b3-bf18-4838cf354852", + "alias": "Authentication Options", + "description": "Authentication options.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "basic-auth", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "basic-auth-otp", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "6b97ee19-cc94-435d-92cd-c16cec1ce04e", + "alias": "Browser - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "8ce4d49e-4ef9-4f99-ab46-3693b7b4a093", + "alias": "Direct Grant - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "2d7a3dd7-cfa2-427c-b1c6-aa91a4cd6c63", + "alias": "First broker login - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "bf73abb4-36f2-4338-8578-86ab06bb1131", + "alias": "Handle Existing Account", + "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-confirm-link", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Account verification options", + "userSetupAllowed": false + } + ] + }, + { + "id": "65caf860-42ee-4bbe-aafe-468c838cf602", + "alias": "Reset - Conditional OTP", + "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "bf7960c0-0247-442b-b381-bea5646a4912", + "alias": "User creation or linking", + "description": "Flow for the existing/non-existing user alternatives", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "create unique user config", + "authenticator": "idp-create-user-if-unique", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Handle Existing Account", + "userSetupAllowed": false + } + ] + }, + { + "id": "1f2b94c0-0f10-4484-a224-0699141f7c02", + "alias": "Verify Existing Account by Re-authentication", + "description": "Reauthentication of existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "First broker login - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "a34173a7-4ad7-4817-ad11-9ddc459854aa", + "alias": "browser", + "description": "browser based authentication", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-cookie", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "identity-provider-redirector", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 25, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "forms", + "userSetupAllowed": false + } + ] + }, + { + "id": "a69e205f-6ae1-4aa1-9ed1-806dbc5f7168", + "alias": "clients", + "description": "Base authentication for clients", + "providerId": "client-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "client-secret", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-secret-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-x509", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 40, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "18b4d1ed-9fcd-41b2-8db0-cdc74d9ad155", + "alias": "direct grant", + "description": "OpenID Connect Resource Owner Grant", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "direct-grant-validate-username", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "Direct Grant - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "7aeeddfa-01fa-43c2-80ad-3d7089b8d952", + "alias": "docker auth", + "description": "Used by Docker clients to authenticate against the IDP", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "docker-http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "4e0d5e38-0c28-4ad3-b904-e1dcde038e7f", + "alias": "first broker login", + "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "review profile config", + "authenticator": "idp-review-profile", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "User creation or linking", + "userSetupAllowed": false + } + ] + }, + { + "id": "c14d77a8-4c9f-429d-9d75-fd5d5046e140", + "alias": "forms", + "description": "Username, password, otp and other auth forms.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Browser - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "e58d48bb-d404-40d9-9cfb-5fa5d450fef1", + "alias": "http challenge", + "description": "An authentication flow based on challenge-response HTTP Authentication Schemes", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "no-cookie-redirect", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Authentication Options", + "userSetupAllowed": false + } + ] + }, + { + "id": "287e7e9a-1b9a-40b8-9d96-2718f336c12a", + "alias": "registration", + "description": "registration flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-page-form", + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": true, + "flowAlias": "registration form", + "userSetupAllowed": false + } + ] + }, + { + "id": "bad61d64-c8fb-4dad-b8fe-ce25da2de253", + "alias": "registration form", + "description": "registration form", + "providerId": "form-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-user-creation", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-profile-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 40, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-password-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 50, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-recaptcha-action", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 60, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "68449dd8-7be7-4150-82fe-fb75b67c896e", + "alias": "reset credentials", + "description": "Reset credentials for a user if they forgot their password or something", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "reset-credentials-choose-user", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-credential-email", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 40, + "autheticatorFlow": true, + "flowAlias": "Reset - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "baded0d1-49db-4723-8924-19f1c6e4b0d3", + "alias": "saml ecp", + "description": "SAML ECP Profile Authentication Flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + } + ], + "authenticatorConfig": [ + { + "id": "c8e1e585-b8bb-417c-943d-079afbae72c5", + "alias": "create unique user config", + "config": { + "require.password.update.after.registration": "false" + } + }, + { + "id": "07e5d37a-e1ed-4957-9802-f02b8565c715", + "alias": "review profile config", + "config": { + "update.profile.on.first.login": "missing" + } + } + ], + "requiredActions": [ + { + "alias": "CONFIGURE_TOTP", + "name": "Configure OTP", + "providerId": "CONFIGURE_TOTP", + "enabled": true, + "defaultAction": false, + "priority": 10, + "config": {} + }, + { + "alias": "terms_and_conditions", + "name": "Terms and Conditions", + "providerId": "terms_and_conditions", + "enabled": false, + "defaultAction": false, + "priority": 20, + "config": {} + }, + { + "alias": "UPDATE_PASSWORD", + "name": "Update Password", + "providerId": "UPDATE_PASSWORD", + "enabled": true, + "defaultAction": false, + "priority": 30, + "config": {} + }, + { + "alias": "UPDATE_PROFILE", + "name": "Update Profile", + "providerId": "UPDATE_PROFILE", + "enabled": true, + "defaultAction": false, + "priority": 40, + "config": {} + }, + { + "alias": "VERIFY_EMAIL", + "name": "Verify Email", + "providerId": "VERIFY_EMAIL", + "enabled": true, + "defaultAction": false, + "priority": 50, + "config": {} + }, + { + "alias": "delete_account", + "name": "Delete Account", + "providerId": "delete_account", + "enabled": false, + "defaultAction": false, + "priority": 60, + "config": {} + }, + { + "alias": "webauthn-register", + "name": "Webauthn Register", + "providerId": "webauthn-register", + "enabled": true, + "defaultAction": false, + "priority": 70, + "config": {} + }, + { + "alias": "webauthn-register-passwordless", + "name": "Webauthn Register Passwordless", + "providerId": "webauthn-register-passwordless", + "enabled": true, + "defaultAction": false, + "priority": 80, + "config": {} + }, + { + "alias": "update_user_locale", + "name": "Update User Locale", + "providerId": "update_user_locale", + "enabled": true, + "defaultAction": false, + "priority": 1000, + "config": {} + } + ], + "browserFlow": "browser", + "registrationFlow": "registration", + "directGrantFlow": "direct grant", + "resetCredentialsFlow": "reset credentials", + "clientAuthenticationFlow": "clients", + "dockerAuthenticationFlow": "docker auth", + "attributes": { + "cibaBackchannelTokenDeliveryMode": "poll", + "cibaExpiresIn": "120", + "cibaAuthRequestedUserHint": "login_hint", + "oauth2DeviceCodeLifespan": "600", + "oauth2DevicePollingInterval": "5", + "parRequestUriLifespan": "60", + "cibaInterval": "5", + "realmReusableOtpCode": "false" + }, + "keycloakVersion": "20.0.3", + "userManagedAccessAllowed": false, + "clientProfiles": { + "profiles": [] + }, + "clientPolicies": { + "policies": [] + } +} diff --git a/src/main/resources/baseline/25.0.5/client/client.json b/src/main/resources/baseline/25.0.5/client/client.json new file mode 100644 index 000000000..b96b479b1 --- /dev/null +++ b/src/main/resources/baseline/25.0.5/client/client.json @@ -0,0 +1,59 @@ +{ + "clientId": "reference-client", + "name": "", + "description": "", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "cjQ7lt37eAxeBRDzmLDsML89l1F6MHeY", + "redirectUris": [ + "/*" + ], + "webOrigins": [ + "/*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "client.secret.creation.time": "1726783534", + "backchannel.logout.session.required": "true", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "basic", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "organization", + "microprofile-jwt" + ], + "access": { + "view": true, + "configure": true, + "manage": true + } +} diff --git a/src/main/resources/baseline/25.0.5/realm/realm.json b/src/main/resources/baseline/25.0.5/realm/realm.json new file mode 100644 index 000000000..463be743b --- /dev/null +++ b/src/main/resources/baseline/25.0.5/realm/realm.json @@ -0,0 +1,2355 @@ +{ + "id": "dd63c101-0933-44ff-bd0d-6291b7b195ae", + "realm": "REALM_NAME_PLACEHOLDER", + "notBefore": 0, + "defaultSignatureAlgorithm": "RS256", + "revokeRefreshToken": false, + "refreshTokenMaxReuse": 0, + "accessTokenLifespan": 300, + "accessTokenLifespanForImplicitFlow": 900, + "ssoSessionIdleTimeout": 1800, + "ssoSessionMaxLifespan": 36000, + "ssoSessionIdleTimeoutRememberMe": 0, + "ssoSessionMaxLifespanRememberMe": 0, + "offlineSessionIdleTimeout": 2592000, + "offlineSessionMaxLifespanEnabled": false, + "offlineSessionMaxLifespan": 5184000, + "clientSessionIdleTimeout": 0, + "clientSessionMaxLifespan": 0, + "clientOfflineSessionIdleTimeout": 0, + "clientOfflineSessionMaxLifespan": 0, + "accessCodeLifespan": 60, + "accessCodeLifespanUserAction": 300, + "accessCodeLifespanLogin": 1800, + "actionTokenGeneratedByAdminLifespan": 43200, + "actionTokenGeneratedByUserLifespan": 300, + "oauth2DeviceCodeLifespan": 600, + "oauth2DevicePollingInterval": 5, + "enabled": true, + "sslRequired": "external", + "registrationAllowed": false, + "registrationEmailAsUsername": false, + "rememberMe": false, + "verifyEmail": false, + "loginWithEmailAllowed": true, + "duplicateEmailsAllowed": false, + "resetPasswordAllowed": false, + "editUsernameAllowed": false, + "bruteForceProtected": false, + "permanentLockout": false, + "maxTemporaryLockouts": 0, + "maxFailureWaitSeconds": 900, + "minimumQuickLoginWaitSeconds": 60, + "waitIncrementSeconds": 60, + "quickLoginCheckMilliSeconds": 1000, + "maxDeltaTimeSeconds": 43200, + "failureFactor": 30, + "roles": { + "realm": [ + { + "id": "9580c9da-0c78-43c6-82b6-f1694db9bfa2", + "name": "uma_authorization", + "description": "${role_uma_authorization}", + "composite": false, + "clientRole": false, + "containerId": "dd63c101-0933-44ff-bd0d-6291b7b195ae", + "attributes": {} + }, + { + "id": "480c5735-3615-4031-8af5-1a5941f6ed85", + "name": "default-roles-REALM_NAME_PLACEHOLDER", + "description": "${role_default-roles}", + "composite": true, + "composites": { + "realm": [ + "offline_access", + "uma_authorization" + ], + "client": { + "account": [ + "manage-account", + "view-profile" + ] + } + }, + "clientRole": false, + "containerId": "dd63c101-0933-44ff-bd0d-6291b7b195ae", + "attributes": {} + }, + { + "id": "acdaa4dc-3b37-4ef8-bc96-61d0bad24273", + "name": "offline_access", + "description": "${role_offline-access}", + "composite": false, + "clientRole": false, + "containerId": "dd63c101-0933-44ff-bd0d-6291b7b195ae", + "attributes": {} + } + ], + "client": { + "realm-management": [ + { + "id": "cfb49ecc-087c-45ee-82b9-c04f09598ce7", + "name": "manage-users", + "description": "${role_manage-users}", + "composite": false, + "clientRole": true, + "containerId": "dabfe89e-a20a-4502-81ae-6effe456c884", + "attributes": {} + }, + { + "id": "6fa23d54-426d-43fe-8fe9-1ea3eb901101", + "name": "view-authorization", + "description": "${role_view-authorization}", + "composite": false, + "clientRole": true, + "containerId": "dabfe89e-a20a-4502-81ae-6effe456c884", + "attributes": {} + }, + { + "id": "98f722da-2e2b-4607-9cee-cfbf53593f36", + "name": "impersonation", + "description": "${role_impersonation}", + "composite": false, + "clientRole": true, + "containerId": "dabfe89e-a20a-4502-81ae-6effe456c884", + "attributes": {} + }, + { + "id": "831f2cef-957c-4eaf-a309-e04ba25aed17", + "name": "view-clients", + "description": "${role_view-clients}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-clients" + ] + } + }, + "clientRole": true, + "containerId": "dabfe89e-a20a-4502-81ae-6effe456c884", + "attributes": {} + }, + { + "id": "ad3da993-2344-45ab-adda-805025fe1c0e", + "name": "create-client", + "description": "${role_create-client}", + "composite": false, + "clientRole": true, + "containerId": "dabfe89e-a20a-4502-81ae-6effe456c884", + "attributes": {} + }, + { + "id": "9144db3e-b609-4afa-a7fb-86340e7c4943", + "name": "manage-events", + "description": "${role_manage-events}", + "composite": false, + "clientRole": true, + "containerId": "dabfe89e-a20a-4502-81ae-6effe456c884", + "attributes": {} + }, + { + "id": "64ce3225-b08c-45ac-b4da-a0f78ff53054", + "name": "query-clients", + "description": "${role_query-clients}", + "composite": false, + "clientRole": true, + "containerId": "dabfe89e-a20a-4502-81ae-6effe456c884", + "attributes": {} + }, + { + "id": "bff7eea4-ef17-4873-8712-8461ac4a3ecb", + "name": "query-groups", + "description": "${role_query-groups}", + "composite": false, + "clientRole": true, + "containerId": "dabfe89e-a20a-4502-81ae-6effe456c884", + "attributes": {} + }, + { + "id": "a8a226e0-fbdc-4a67-b4d8-53a945fad25c", + "name": "query-realms", + "description": "${role_query-realms}", + "composite": false, + "clientRole": true, + "containerId": "dabfe89e-a20a-4502-81ae-6effe456c884", + "attributes": {} + }, + { + "id": "b22b71b1-a8dd-4aad-a879-a266a27f5da0", + "name": "realm-admin", + "description": "${role_realm-admin}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "manage-users", + "view-authorization", + "view-clients", + "impersonation", + "create-client", + "manage-events", + "query-clients", + "query-groups", + "query-realms", + "view-users", + "view-events", + "manage-clients", + "manage-identity-providers", + "manage-realm", + "query-users", + "view-identity-providers", + "manage-authorization", + "view-realm" + ] + } + }, + "clientRole": true, + "containerId": "dabfe89e-a20a-4502-81ae-6effe456c884", + "attributes": {} + }, + { + "id": "56940251-b312-4ba5-8897-80770420fbc5", + "name": "view-users", + "description": "${role_view-users}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-users", + "query-groups" + ] + } + }, + "clientRole": true, + "containerId": "dabfe89e-a20a-4502-81ae-6effe456c884", + "attributes": {} + }, + { + "id": "8080db13-00bd-4091-a36d-eb9a727c6e06", + "name": "manage-clients", + "description": "${role_manage-clients}", + "composite": false, + "clientRole": true, + "containerId": "dabfe89e-a20a-4502-81ae-6effe456c884", + "attributes": {} + }, + { + "id": "c637da23-2962-43fd-ad60-3d722b83c991", + "name": "manage-identity-providers", + "description": "${role_manage-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "dabfe89e-a20a-4502-81ae-6effe456c884", + "attributes": {} + }, + { + "id": "77347d4e-c2ba-4590-b9d7-2f6caacfb9c2", + "name": "view-events", + "description": "${role_view-events}", + "composite": false, + "clientRole": true, + "containerId": "dabfe89e-a20a-4502-81ae-6effe456c884", + "attributes": {} + }, + { + "id": "eee3badf-8cfd-45e0-95e2-b31c4246b2ff", + "name": "manage-realm", + "description": "${role_manage-realm}", + "composite": false, + "clientRole": true, + "containerId": "dabfe89e-a20a-4502-81ae-6effe456c884", + "attributes": {} + }, + { + "id": "62028465-2dbc-438c-a3da-d1028fc064cb", + "name": "query-users", + "description": "${role_query-users}", + "composite": false, + "clientRole": true, + "containerId": "dabfe89e-a20a-4502-81ae-6effe456c884", + "attributes": {} + }, + { + "id": "c3d108ea-11e7-4c03-9e22-165e27a37b29", + "name": "view-identity-providers", + "description": "${role_view-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "dabfe89e-a20a-4502-81ae-6effe456c884", + "attributes": {} + }, + { + "id": "f104fd30-19bc-41f1-8d1d-8ac8060f4d3e", + "name": "manage-authorization", + "description": "${role_manage-authorization}", + "composite": false, + "clientRole": true, + "containerId": "dabfe89e-a20a-4502-81ae-6effe456c884", + "attributes": {} + }, + { + "id": "291747a2-0c07-4265-afe8-08a195e6d029", + "name": "view-realm", + "description": "${role_view-realm}", + "composite": false, + "clientRole": true, + "containerId": "dabfe89e-a20a-4502-81ae-6effe456c884", + "attributes": {} + } + ], + "security-admin-console": [], + "admin-cli": [], + "account-console": [], + "broker": [ + { + "id": "09571088-e666-437f-a2e5-1025ab1c2679", + "name": "read-token", + "description": "${role_read-token}", + "composite": false, + "clientRole": true, + "containerId": "2d47b1b5-8c05-4cfb-adac-000dff429b98", + "attributes": {} + } + ], + "account": [ + { + "id": "5e1c1bd4-a134-4765-8f0b-753adc507e3f", + "name": "delete-account", + "description": "${role_delete-account}", + "composite": false, + "clientRole": true, + "containerId": "c9b64036-d306-481f-acf0-138f42e4714f", + "attributes": {} + }, + { + "id": "87f66ba3-e129-4b3d-a50c-1dbefb31c3e3", + "name": "view-applications", + "description": "${role_view-applications}", + "composite": false, + "clientRole": true, + "containerId": "c9b64036-d306-481f-acf0-138f42e4714f", + "attributes": {} + }, + { + "id": "21efa0ec-d716-49d7-b987-550b4158300c", + "name": "manage-account-links", + "description": "${role_manage-account-links}", + "composite": false, + "clientRole": true, + "containerId": "c9b64036-d306-481f-acf0-138f42e4714f", + "attributes": {} + }, + { + "id": "294862a6-637d-4993-9743-fab2ea7745d5", + "name": "view-groups", + "description": "${role_view-groups}", + "composite": false, + "clientRole": true, + "containerId": "c9b64036-d306-481f-acf0-138f42e4714f", + "attributes": {} + }, + { + "id": "ffd6f5d8-5f93-4824-9bb8-4a18bda8e65c", + "name": "manage-consent", + "description": "${role_manage-consent}", + "composite": true, + "composites": { + "client": { + "account": [ + "view-consent" + ] + } + }, + "clientRole": true, + "containerId": "c9b64036-d306-481f-acf0-138f42e4714f", + "attributes": {} + }, + { + "id": "7101cd26-567b-41a2-935d-6dd3c95447d4", + "name": "view-consent", + "description": "${role_view-consent}", + "composite": false, + "clientRole": true, + "containerId": "c9b64036-d306-481f-acf0-138f42e4714f", + "attributes": {} + }, + { + "id": "0b2fda0c-350c-4719-8485-74c4c9a14b4f", + "name": "manage-account", + "description": "${role_manage-account}", + "composite": true, + "composites": { + "client": { + "account": [ + "manage-account-links" + ] + } + }, + "clientRole": true, + "containerId": "c9b64036-d306-481f-acf0-138f42e4714f", + "attributes": {} + }, + { + "id": "66746e76-a6e9-4f17-8a53-c8485ffcbd54", + "name": "view-profile", + "description": "${role_view-profile}", + "composite": false, + "clientRole": true, + "containerId": "c9b64036-d306-481f-acf0-138f42e4714f", + "attributes": {} + } + ] + } + }, + "groups": [], + "defaultRole": { + "id": "480c5735-3615-4031-8af5-1a5941f6ed85", + "name": "default-roles-REALM_NAME_PLACEHOLDER", + "description": "${role_default-roles}", + "composite": true, + "clientRole": false, + "containerId": "dd63c101-0933-44ff-bd0d-6291b7b195ae" + }, + "requiredCredentials": [ + "password" + ], + "otpPolicyType": "totp", + "otpPolicyAlgorithm": "HmacSHA1", + "otpPolicyInitialCounter": 0, + "otpPolicyDigits": 6, + "otpPolicyLookAheadWindow": 1, + "otpPolicyPeriod": 30, + "otpPolicyCodeReusable": false, + "otpSupportedApplications": [ + "totpAppFreeOTPName", + "totpAppGoogleName", + "totpAppMicrosoftAuthenticatorName" + ], + "localizationTexts": {}, + "webAuthnPolicyRpEntityName": "keycloak", + "webAuthnPolicySignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyRpId": "", + "webAuthnPolicyAttestationConveyancePreference": "not specified", + "webAuthnPolicyAuthenticatorAttachment": "not specified", + "webAuthnPolicyRequireResidentKey": "not specified", + "webAuthnPolicyUserVerificationRequirement": "not specified", + "webAuthnPolicyCreateTimeout": 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyAcceptableAaguids": [], + "webAuthnPolicyExtraOrigins": [], + "webAuthnPolicyPasswordlessRpEntityName": "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyPasswordlessRpId": "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", + "webAuthnPolicyPasswordlessCreateTimeout": 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyPasswordlessAcceptableAaguids": [], + "webAuthnPolicyPasswordlessExtraOrigins": [], + "scopeMappings": [ + { + "clientScope": "offline_access", + "roles": [ + "offline_access" + ] + } + ], + "clientScopeMappings": { + "account": [ + { + "client": "account-console", + "roles": [ + "manage-account", + "view-groups" + ] + } + ] + }, + "clients": [ + { + "id": "c9b64036-d306-481f-acf0-138f42e4714f", + "clientId": "account", + "name": "${client_account}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/REALM_NAME_PLACEHOLDER/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/REALM_NAME_PLACEHOLDER/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "basic", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "organization", + "microprofile-jwt" + ] + }, + { + "id": "fb5c35f5-62d6-4641-96f5-1e92fee5e4c9", + "clientId": "account-console", + "name": "${client_account-console}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/REALM_NAME_PLACEHOLDER/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/REALM_NAME_PLACEHOLDER/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+", + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "26ccae04-fffd-4fb2-8c8b-a69331675dc4", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "basic", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "organization", + "microprofile-jwt" + ] + }, + { + "id": "83bcfb18-8a63-40e8-a318-2511e432b8f9", + "clientId": "admin-cli", + "name": "${client_admin-cli}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "basic", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "organization", + "microprofile-jwt" + ] + }, + { + "id": "2d47b1b5-8c05-4cfb-adac-000dff429b98", + "clientId": "broker", + "name": "${client_broker}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "basic", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "organization", + "microprofile-jwt" + ] + }, + { + "id": "dabfe89e-a20a-4502-81ae-6effe456c884", + "clientId": "realm-management", + "name": "${client_realm-management}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "basic", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "organization", + "microprofile-jwt" + ] + }, + { + "id": "5e7102d7-cbc5-48f2-855b-6c49b7730bc5", + "clientId": "security-admin-console", + "name": "${client_security-admin-console}", + "rootUrl": "${authAdminUrl}", + "baseUrl": "/admin/REALM_NAME_PLACEHOLDER/console/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/admin/REALM_NAME_PLACEHOLDER/console/*" + ], + "webOrigins": [ + "+" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+", + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "f0dc4884-abd8-43b1-8daf-a4ea30af2c45", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "basic", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "organization", + "microprofile-jwt" + ] + } + ], + "clientScopes": [ + { + "id": "75c3c28e-9954-4591-ad9f-2fa561935969", + "name": "phone", + "description": "OpenID Connect built-in scope: phone", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "consent.screen.text": "${phoneScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "c1bd61d7-b43c-47b6-bb09-c8f1048626b9", + "name": "phone number", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "phoneNumber", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number", + "jsonType.label": "String" + } + }, + { + "id": "22570598-1102-4011-a257-914cf1c61cb9", + "name": "phone number verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "phoneNumberVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number_verified", + "jsonType.label": "boolean" + } + } + ] + }, + { + "id": "2b62b196-a141-4963-b0a8-7cf1a5e5d79d", + "name": "web-origins", + "description": "OpenID Connect scope for add allowed web origins to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "consent.screen.text": "", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "8103b7d0-9a8f-42c3-8cd4-3c14ab4f45d6", + "name": "allowed web origins", + "protocol": "openid-connect", + "protocolMapper": "oidc-allowed-origins-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "access.token.claim": "true" + } + } + ] + }, + { + "id": "0c9b45df-7b86-498e-a50b-263c81516364", + "name": "email", + "description": "OpenID Connect built-in scope: email", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "consent.screen.text": "${emailScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "55a6275a-652a-4087-800f-b8a96a18f847", + "name": "email verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "emailVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email_verified", + "jsonType.label": "boolean" + } + }, + { + "id": "5deee1be-1359-4700-b3eb-fda36f384c6c", + "name": "email", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "email", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "baefbd93-a03d-4dcf-a810-d130c4c52e34", + "name": "offline_access", + "description": "OpenID Connect built-in scope: offline_access", + "protocol": "openid-connect", + "attributes": { + "consent.screen.text": "${offlineAccessScopeConsentText}", + "display.on.consent.screen": "true" + } + }, + { + "id": "d9afdfca-5d6a-4154-9cb4-ffbca2c9a0cd", + "name": "basic", + "description": "OpenID Connect scope for add all basic claims to the token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "b4274c50-30bd-41b8-90cf-0226c3537325", + "name": "sub", + "protocol": "openid-connect", + "protocolMapper": "oidc-sub-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "access.token.claim": "true" + } + }, + { + "id": "9816cb0e-df86-47d8-8c6d-a6e1e728936d", + "name": "auth_time", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "AUTH_TIME", + "id.token.claim": "true", + "introspection.token.claim": "true", + "access.token.claim": "true", + "claim.name": "auth_time", + "jsonType.label": "long" + } + } + ] + }, + { + "id": "c747bf13-7fef-4210-931f-5b925e66b762", + "name": "roles", + "description": "OpenID Connect scope for add user roles to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "consent.screen.text": "${rolesScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "16806ab6-8445-4982-98c5-31d2027eef21", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "access.token.claim": "true" + } + }, + { + "id": "f84f3429-cb42-41b1-a1f0-b0ce18547f88", + "name": "client roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "introspection.token.claim": "true", + "access.token.claim": "true", + "claim.name": "resource_access.${client_id}.roles", + "jsonType.label": "String", + "multivalued": "true" + } + }, + { + "id": "bb42a14a-d1d2-469b-ba6a-5de818f9dc09", + "name": "realm roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "user.attribute": "foo", + "introspection.token.claim": "true", + "access.token.claim": "true", + "claim.name": "realm_access.roles", + "jsonType.label": "String", + "multivalued": "true" + } + } + ] + }, + { + "id": "27c4af4a-ba34-4ab8-a3c7-d170c7600ce9", + "name": "address", + "description": "OpenID Connect built-in scope: address", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "consent.screen.text": "${addressScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "5fce34d7-0d3f-4ea3-9dd8-e9a935d7afc8", + "name": "address", + "protocol": "openid-connect", + "protocolMapper": "oidc-address-mapper", + "consentRequired": false, + "config": { + "user.attribute.formatted": "formatted", + "user.attribute.country": "country", + "introspection.token.claim": "true", + "user.attribute.postal_code": "postal_code", + "userinfo.token.claim": "true", + "user.attribute.street": "street", + "id.token.claim": "true", + "user.attribute.region": "region", + "access.token.claim": "true", + "user.attribute.locality": "locality" + } + } + ] + }, + { + "id": "54a28d98-624a-446a-bac6-987ef81e94a1", + "name": "microprofile-jwt", + "description": "Microprofile - JWT built-in scope", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "d24b73e0-99ff-4529-822b-e34ca0f01e40", + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "multivalued": "true", + "user.attribute": "foo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "jsonType.label": "String" + } + }, + { + "id": "b8cb435d-b65e-4ea7-9fcf-47e68d12034c", + "name": "upn", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "upn", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "29e507c4-0d25-4c7e-bab2-445f02229498", + "name": "profile", + "description": "OpenID Connect built-in scope: profile", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "consent.screen.text": "${profileScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "38069a29-e1a5-418f-ae2c-d3eaad7aac72", + "name": "birthdate", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "birthdate", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "birthdate", + "jsonType.label": "String" + } + }, + { + "id": "75e8f35b-c264-413f-8329-6f1f75845754", + "name": "family name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "lastName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "family_name", + "jsonType.label": "String" + } + }, + { + "id": "14dbae81-967b-4293-a717-37e7c23849ce", + "name": "profile", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "profile", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "profile", + "jsonType.label": "String" + } + }, + { + "id": "b5e39b39-251b-4c7c-a495-f224fa668b8e", + "name": "username", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "preferred_username", + "jsonType.label": "String" + } + }, + { + "id": "8524ea93-38b8-4dc1-b1f0-d6a79be4aa49", + "name": "updated at", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "updatedAt", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "updated_at", + "jsonType.label": "long" + } + }, + { + "id": "b43b0a85-5b62-4e24-bb44-d27ad870231e", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + }, + { + "id": "3ec07ced-87fe-4a6f-a6d6-3aef1b70bb77", + "name": "nickname", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "nickname", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "nickname", + "jsonType.label": "String" + } + }, + { + "id": "279983b1-32c1-4240-a364-e1c5da2d1567", + "name": "picture", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "picture", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "picture", + "jsonType.label": "String" + } + }, + { + "id": "1308c0b3-f55e-4073-bef8-5f2ea0b6d7f1", + "name": "zoneinfo", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "zoneinfo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "zoneinfo", + "jsonType.label": "String" + } + }, + { + "id": "ed828254-6168-41fd-95e8-bd0296499677", + "name": "gender", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "gender", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "gender", + "jsonType.label": "String" + } + }, + { + "id": "e008f950-539e-4484-9e49-a5ddc19a6247", + "name": "website", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "website", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "website", + "jsonType.label": "String" + } + }, + { + "id": "13145ef8-796d-44eb-9f91-6097872f7e43", + "name": "full name", + "protocol": "openid-connect", + "protocolMapper": "oidc-full-name-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "introspection.token.claim": "true", + "access.token.claim": "true", + "userinfo.token.claim": "true" + } + }, + { + "id": "44bd6fd2-002a-4f2e-9f67-85a10bdaaf91", + "name": "given name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "firstName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "given_name", + "jsonType.label": "String" + } + }, + { + "id": "af4a8bbb-eea2-4e92-a52e-db1b598cbdda", + "name": "middle name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "middleName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "middle_name", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "e20000d2-97e9-4963-97ed-29c2493e88a1", + "name": "saml_organization", + "description": "Organization Membership", + "protocol": "saml", + "attributes": { + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "f79afeba-4905-4acd-9a31-f5772a9cfaf5", + "name": "organization", + "protocol": "saml", + "protocolMapper": "saml-organization-membership-mapper", + "consentRequired": false, + "config": {} + } + ] + }, + { + "id": "669d6b18-ad12-4ad4-bdac-2ccc9ba8ec19", + "name": "acr", + "description": "OpenID Connect scope for add acr (authentication context class reference) to the token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "68c8bb60-3ade-4629-8e39-bacbbf1729a9", + "name": "acr loa level", + "protocol": "openid-connect", + "protocolMapper": "oidc-acr-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "introspection.token.claim": "true", + "access.token.claim": "true" + } + } + ] + }, + { + "id": "e2644a46-32ce-4773-a502-4b49047ade5f", + "name": "role_list", + "description": "SAML role list", + "protocol": "saml", + "attributes": { + "consent.screen.text": "${samlRoleListScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "a16f5c5c-9b31-48e4-9a2a-b1102f116929", + "name": "role list", + "protocol": "saml", + "protocolMapper": "saml-role-list-mapper", + "consentRequired": false, + "config": { + "single": "false", + "attribute.nameformat": "Basic", + "attribute.name": "Role" + } + } + ] + }, + { + "id": "f4a04ae3-7689-4162-a10d-80bf12c062b8", + "name": "organization", + "description": "Additional claims about the organization a subject belongs to", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "consent.screen.text": "${organizationScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "86d3a466-ec88-4260-8666-c80fb8a67616", + "name": "organization", + "protocol": "openid-connect", + "protocolMapper": "oidc-organization-membership-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "introspection.token.claim": "true", + "access.token.claim": "true" + } + } + ] + } + ], + "defaultDefaultClientScopes": [ + "role_list", + "saml_organization", + "profile", + "email", + "roles", + "web-origins", + "acr", + "basic" + ], + "defaultOptionalClientScopes": [ + "offline_access", + "address", + "phone", + "microprofile-jwt", + "organization" + ], + "browserSecurityHeaders": { + "contentSecurityPolicyReportOnly": "", + "xContentTypeOptions": "nosniff", + "referrerPolicy": "no-referrer", + "xRobotsTag": "none", + "xFrameOptions": "SAMEORIGIN", + "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "xXSSProtection": "1; mode=block", + "strictTransportSecurity": "max-age=31536000; includeSubDomains" + }, + "smtpServer": {}, + "eventsEnabled": false, + "eventsListeners": [ + "jboss-logging" + ], + "enabledEventTypes": [], + "adminEventsEnabled": false, + "adminEventsDetailsEnabled": false, + "identityProviders": [], + "identityProviderMappers": [], + "components": { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ + { + "id": "fd92ba76-e8b6-473b-ae5b-324de55d1bec", + "name": "Consent Required", + "providerId": "consent-required", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "680d98da-7b39-42d7-addf-c8709f70e997", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "134087bf-1b89-43a2-9ed8-e835bf24698e", + "name": "Max Clients Limit", + "providerId": "max-clients", + "subType": "anonymous", + "subComponents": {}, + "config": { + "max-clients": [ + "200" + ] + } + }, + { + "id": "6093461f-6bf9-47ef-902e-0cc6e795d468", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "oidc-usermodel-attribute-mapper", + "saml-user-attribute-mapper", + "oidc-full-name-mapper", + "saml-role-list-mapper", + "oidc-sha256-pairwise-sub-mapper", + "saml-user-property-mapper", + "oidc-address-mapper", + "oidc-usermodel-property-mapper" + ] + } + }, + { + "id": "da0f1531-50c5-4c32-91d6-78a49c83c8f9", + "name": "Trusted Hosts", + "providerId": "trusted-hosts", + "subType": "anonymous", + "subComponents": {}, + "config": { + "host-sending-registration-request-must-match": [ + "true" + ], + "client-uris-must-match": [ + "true" + ] + } + }, + { + "id": "ee589b19-fee3-43aa-a235-6ebad256fc88", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "oidc-address-mapper", + "oidc-usermodel-property-mapper", + "oidc-full-name-mapper", + "saml-user-attribute-mapper", + "oidc-sha256-pairwise-sub-mapper", + "saml-role-list-mapper", + "oidc-usermodel-attribute-mapper", + "saml-user-property-mapper" + ] + } + }, + { + "id": "98947e9b-8db1-43a9-953b-b0a7a6529308", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "19309024-e8ed-41bf-aaab-120b77546970", + "name": "Full Scope Disabled", + "providerId": "scope", + "subType": "anonymous", + "subComponents": {}, + "config": {} + } + ], + "org.keycloak.keys.KeyProvider": [ + { + "id": "6873ae62-f710-410f-adff-4529edacecd5", + "name": "hmac-generated-hs512", + "providerId": "hmac-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ], + "algorithm": [ + "HS512" + ] + } + }, + { + "id": "acaf8c35-8426-4212-b476-9755e750cba8", + "name": "aes-generated", + "providerId": "aes-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ] + } + }, + { + "id": "79b45bb7-9f51-4a5d-9ddb-a38193869cf8", + "name": "rsa-enc-generated", + "providerId": "rsa-enc-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ], + "algorithm": [ + "RSA-OAEP" + ] + } + }, + { + "id": "6d6fdef5-fc2a-4283-872b-78d43683405a", + "name": "rsa-generated", + "providerId": "rsa-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ] + } + } + ] + }, + "internationalizationEnabled": false, + "supportedLocales": [], + "authenticationFlows": [ + { + "id": "820f56e1-92f9-489a-8d5b-435c3090d565", + "alias": "Account verification options", + "description": "Method with which to verity the existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-email-verification", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Verify Existing Account by Re-authentication", + "userSetupAllowed": false + } + ] + }, + { + "id": "485f4929-8cd5-4823-ab43-46632ff328f1", + "alias": "Browser - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "7cd25178-93e4-40a1-85a3-a7eedd1eee58", + "alias": "Browser - Conditional Organization", + "description": "Flow to determine if the organization identity-first login is to be used", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "organization", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "13859544-1f4e-4d3a-9c59-160d72f1ef09", + "alias": "Direct Grant - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "95b03f52-3e9a-4745-9f2d-fa92024f892a", + "alias": "First Broker Login - Conditional Organization", + "description": "Flow to determine if the authenticator that adds organization members is to be used", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "idp-add-organization-member", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "e0b0819f-f839-4ac3-93bc-a6944d789c6b", + "alias": "First broker login - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "a39f72d5-7336-48bf-9abd-c6247d3c5188", + "alias": "Handle Existing Account", + "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-confirm-link", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Account verification options", + "userSetupAllowed": false + } + ] + }, + { + "id": "d0ebe092-0fd9-4884-9df2-0fc19560cf0a", + "alias": "Organization", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 10, + "autheticatorFlow": true, + "flowAlias": "Browser - Conditional Organization", + "userSetupAllowed": false + } + ] + }, + { + "id": "7b9d4855-89f8-4df6-beda-bfb035f9a244", + "alias": "Reset - Conditional OTP", + "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "df1575c6-b9cd-4342-8c85-c6376853866d", + "alias": "User creation or linking", + "description": "Flow for the existing/non-existing user alternatives", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "create unique user config", + "authenticator": "idp-create-user-if-unique", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Handle Existing Account", + "userSetupAllowed": false + } + ] + }, + { + "id": "10a02bfc-f238-4b94-abbd-7706c2f21b70", + "alias": "Verify Existing Account by Re-authentication", + "description": "Reauthentication of existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "First broker login - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "63965b58-1b62-4f3a-9fd3-7e3e3c4c3eed", + "alias": "browser", + "description": "browser based authentication", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-cookie", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "identity-provider-redirector", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 25, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 26, + "autheticatorFlow": true, + "flowAlias": "Organization", + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "forms", + "userSetupAllowed": false + } + ] + }, + { + "id": "618c8052-b998-4181-85f3-6e171a8ad356", + "alias": "clients", + "description": "Base authentication for clients", + "providerId": "client-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "client-secret", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-secret-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-x509", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 40, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "ca3e691a-2326-450b-93d0-eb9929fc3745", + "alias": "direct grant", + "description": "OpenID Connect Resource Owner Grant", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "direct-grant-validate-username", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "Direct Grant - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "e8c2f7fe-c611-4ef9-a062-8d6c3388f797", + "alias": "docker auth", + "description": "Used by Docker clients to authenticate against the IDP", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "docker-http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "178a91fc-9bb6-43c2-88cc-5fd73afe2d75", + "alias": "first broker login", + "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "review profile config", + "authenticator": "idp-review-profile", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "User creation or linking", + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 50, + "autheticatorFlow": true, + "flowAlias": "First Broker Login - Conditional Organization", + "userSetupAllowed": false + } + ] + }, + { + "id": "4c38d67f-c298-4b46-aec8-df00f853e64a", + "alias": "forms", + "description": "Username, password, otp and other auth forms.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Browser - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "ee4ae8cd-0770-44a0-89c5-de1bb96971df", + "alias": "registration", + "description": "registration flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-page-form", + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": true, + "flowAlias": "registration form", + "userSetupAllowed": false + } + ] + }, + { + "id": "9af610f3-08e4-4a3a-a2f2-a85c9cc65f88", + "alias": "registration form", + "description": "registration form", + "providerId": "form-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-user-creation", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-password-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 50, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-recaptcha-action", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 60, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-terms-and-conditions", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 70, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "def02675-afb8-479b-9756-b6399c49a616", + "alias": "reset credentials", + "description": "Reset credentials for a user if they forgot their password or something", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "reset-credentials-choose-user", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-credential-email", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 40, + "autheticatorFlow": true, + "flowAlias": "Reset - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "4da59173-6c48-4f89-a8f1-b9ffe3952641", + "alias": "saml ecp", + "description": "SAML ECP Profile Authentication Flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + } + ], + "authenticatorConfig": [ + { + "id": "5aab6c05-0143-49e2-a8a7-b886685e00b9", + "alias": "create unique user config", + "config": { + "require.password.update.after.registration": "false" + } + }, + { + "id": "c00631ca-8122-41e7-bffc-6034063cc7b1", + "alias": "review profile config", + "config": { + "update.profile.on.first.login": "missing" + } + } + ], + "requiredActions": [ + { + "alias": "CONFIGURE_TOTP", + "name": "Configure OTP", + "providerId": "CONFIGURE_TOTP", + "enabled": true, + "defaultAction": false, + "priority": 10, + "config": {} + }, + { + "alias": "TERMS_AND_CONDITIONS", + "name": "Terms and Conditions", + "providerId": "TERMS_AND_CONDITIONS", + "enabled": false, + "defaultAction": false, + "priority": 20, + "config": {} + }, + { + "alias": "UPDATE_PASSWORD", + "name": "Update Password", + "providerId": "UPDATE_PASSWORD", + "enabled": true, + "defaultAction": false, + "priority": 30, + "config": {} + }, + { + "alias": "UPDATE_PROFILE", + "name": "Update Profile", + "providerId": "UPDATE_PROFILE", + "enabled": true, + "defaultAction": false, + "priority": 40, + "config": {} + }, + { + "alias": "VERIFY_EMAIL", + "name": "Verify Email", + "providerId": "VERIFY_EMAIL", + "enabled": true, + "defaultAction": false, + "priority": 50, + "config": {} + }, + { + "alias": "delete_account", + "name": "Delete Account", + "providerId": "delete_account", + "enabled": false, + "defaultAction": false, + "priority": 60, + "config": {} + }, + { + "alias": "CONFIGURE_RECOVERY_AUTHN_CODES", + "name": "Recovery Authentication Codes", + "providerId": "CONFIGURE_RECOVERY_AUTHN_CODES", + "enabled": true, + "defaultAction": false, + "priority": 70, + "config": {} + }, + { + "alias": "UPDATE_EMAIL", + "name": "Update Email", + "providerId": "UPDATE_EMAIL", + "enabled": true, + "defaultAction": false, + "priority": 70, + "config": {} + }, + { + "alias": "webauthn-register", + "name": "Webauthn Register", + "providerId": "webauthn-register", + "enabled": true, + "defaultAction": false, + "priority": 70, + "config": {} + }, + { + "alias": "webauthn-register-passwordless", + "name": "Webauthn Register Passwordless", + "providerId": "webauthn-register-passwordless", + "enabled": true, + "defaultAction": false, + "priority": 80, + "config": {} + }, + { + "alias": "VERIFY_PROFILE", + "name": "Verify Profile", + "providerId": "VERIFY_PROFILE", + "enabled": true, + "defaultAction": false, + "priority": 90, + "config": {} + }, + { + "alias": "delete_credential", + "name": "Delete Credential", + "providerId": "delete_credential", + "enabled": true, + "defaultAction": false, + "priority": 100, + "config": {} + }, + { + "alias": "update_user_locale", + "name": "Update User Locale", + "providerId": "update_user_locale", + "enabled": true, + "defaultAction": false, + "priority": 1000, + "config": {} + } + ], + "browserFlow": "browser", + "registrationFlow": "registration", + "directGrantFlow": "direct grant", + "resetCredentialsFlow": "reset credentials", + "clientAuthenticationFlow": "clients", + "dockerAuthenticationFlow": "docker auth", + "firstBrokerLoginFlow": "first broker login", + "attributes": { + "cibaBackchannelTokenDeliveryMode": "poll", + "cibaExpiresIn": "120", + "cibaAuthRequestedUserHint": "login_hint", + "oauth2DeviceCodeLifespan": "600", + "oauth2DevicePollingInterval": "5", + "parRequestUriLifespan": "60", + "cibaInterval": "5", + "realmReusableOtpCode": "false" + }, + "keycloakVersion": "25.0.5", + "userManagedAccessAllowed": false, + "organizationsEnabled": false, + "clientProfiles": { + "profiles": [] + }, + "clientPolicies": { + "policies": [] + } +} diff --git a/src/test/java/de/adorsys/keycloak/config/configuration/NormalizeTestConfiguration.java b/src/test/java/de/adorsys/keycloak/config/configuration/NormalizeTestConfiguration.java new file mode 100644 index 000000000..a27f1e142 --- /dev/null +++ b/src/test/java/de/adorsys/keycloak/config/configuration/NormalizeTestConfiguration.java @@ -0,0 +1,35 @@ +/*- + * ---license-start + * keycloak-config-cli + * --- + * Copyright (C) 2017 - 2021 adorsys GmbH & Co. KG @ https://adorsys.com + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package de.adorsys.keycloak.config.configuration; + +import de.adorsys.keycloak.config.properties.NormalizationConfigProperties; +import de.adorsys.keycloak.config.properties.NormalizationKeycloakConfigProperties; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.boot.context.properties.EnableConfigurationProperties; +import org.springframework.context.annotation.ComponentScan; +import org.springframework.context.annotation.Configuration; + +@Configuration +@ComponentScan(basePackages = {"de.adorsys.keycloak.config"}) +@EnableConfigurationProperties({NormalizationKeycloakConfigProperties.class, NormalizationConfigProperties.class}) +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "NORMALIZE") +public class NormalizeTestConfiguration { +} diff --git a/src/test/java/de/adorsys/keycloak/config/configuration/TestConfiguration.java b/src/test/java/de/adorsys/keycloak/config/configuration/TestConfiguration.java index 27685c07a..258f4b868 100644 --- a/src/test/java/de/adorsys/keycloak/config/configuration/TestConfiguration.java +++ b/src/test/java/de/adorsys/keycloak/config/configuration/TestConfiguration.java @@ -22,6 +22,7 @@ import de.adorsys.keycloak.config.properties.ImportConfigProperties; import de.adorsys.keycloak.config.properties.KeycloakConfigProperties; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.boot.context.properties.EnableConfigurationProperties; import org.springframework.context.annotation.ComponentScan; import org.springframework.context.annotation.Configuration; @@ -29,6 +30,7 @@ @Configuration @ComponentScan(basePackages = {"de.adorsys.keycloak.config"}) @EnableConfigurationProperties({KeycloakConfigProperties.class, ImportConfigProperties.class}) +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class TestConfiguration { } diff --git a/src/test/java/de/adorsys/keycloak/config/normalize/AbstractNormalizeTest.java b/src/test/java/de/adorsys/keycloak/config/normalize/AbstractNormalizeTest.java new file mode 100644 index 000000000..be0412dee --- /dev/null +++ b/src/test/java/de/adorsys/keycloak/config/normalize/AbstractNormalizeTest.java @@ -0,0 +1,47 @@ +/*- + * ---license-start + * keycloak-config-cli + * --- + * Copyright (C) 2017 - 2021 adorsys GmbH & Co. KG @ https://adorsys.com + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package de.adorsys.keycloak.config.normalize; + +import de.adorsys.keycloak.config.configuration.NormalizeTestConfiguration; +import de.adorsys.keycloak.config.extensions.GithubActionsExtension; +import org.junit.jupiter.api.*; +import org.junit.jupiter.api.extension.ExtendWith; +import org.springframework.boot.test.context.ConfigDataApplicationContextInitializer; +import org.springframework.boot.test.system.OutputCaptureExtension; +import org.springframework.test.context.ActiveProfiles; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit.jupiter.SpringExtension; + +import static java.util.concurrent.TimeUnit.SECONDS; + +@ExtendWith(SpringExtension.class) +@ExtendWith(GithubActionsExtension.class) +@ExtendWith(OutputCaptureExtension.class) +@ContextConfiguration( + classes = {NormalizeTestConfiguration.class}, + initializers = {ConfigDataApplicationContextInitializer.class} +) +@ActiveProfiles("normalize-IT") +@TestMethodOrder(MethodOrderer.OrderAnnotation.class) +@TestClassOrder(ClassOrderer.OrderAnnotation.class) +@Timeout(value = 30, unit = SECONDS) +public abstract class AbstractNormalizeTest { +} diff --git a/src/test/java/de/adorsys/keycloak/config/service/normalize/AuthFlowNormalizationServiceConfigIT.java b/src/test/java/de/adorsys/keycloak/config/service/normalize/AuthFlowNormalizationServiceConfigIT.java new file mode 100644 index 000000000..e84a02747 --- /dev/null +++ b/src/test/java/de/adorsys/keycloak/config/service/normalize/AuthFlowNormalizationServiceConfigIT.java @@ -0,0 +1,100 @@ +/*- + * ---license-start + * keycloak-config-cli + * --- + * Copyright (C) 2017 - 2021 adorsys GmbH & Co. KG @ https://adorsys.com + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ +package de.adorsys.keycloak.config.service.normalize; + +import de.adorsys.keycloak.config.normalize.AbstractNormalizeTest; +import org.assertj.core.api.Assertions; +import org.junit.jupiter.api.Test; +import org.keycloak.representations.idm.AuthenticationExecutionExportRepresentation; +import org.keycloak.representations.idm.AuthenticationFlowRepresentation; +import org.keycloak.representations.idm.AuthenticatorConfigRepresentation; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.system.CapturedOutput; + +import java.util.ArrayList; +import java.util.List; +import java.util.UUID; + +class AuthFlowNormalizationServiceConfigIT extends AbstractNormalizeTest { + + @Autowired + AuthFlowNormalizationService service; + + @Test + public void testNormalizeAuthConfigsWithEmptyListsIsNull() { + var resultingAuthConfig = service.normalizeAuthConfig(new ArrayList<>(), new ArrayList<>()); + Assertions.assertThat(resultingAuthConfig).isNull(); + } + + @Test + public void testNormalizeAuthConfigsAreRemovedWithoutAliasReference(CapturedOutput output) { + AuthenticatorConfigRepresentation authenticatorConfigRepresentation = new AuthenticatorConfigRepresentation(); + authenticatorConfigRepresentation.setAlias("config2"); + + AuthenticationFlowRepresentation authenticationFlowRepresentation = new AuthenticationFlowRepresentation(); + + AuthenticationExecutionExportRepresentation authenticationExecutionExportRepresentation = new AuthenticationExecutionExportRepresentation(); + authenticationExecutionExportRepresentation.setAuthenticatorConfig("config1"); + authenticationFlowRepresentation.setAuthenticationExecutions(List.of(authenticationExecutionExportRepresentation)); + + var resultingAuthConfig = service.normalizeAuthConfig(List.of(authenticatorConfigRepresentation), List.of(authenticationFlowRepresentation)); + + Assertions.assertThat(resultingAuthConfig).isNull(); + Assertions.assertThat(output.getOut()).contains("Some authenticator configs are unused."); + } + + @Test + public void testNormalizeAuthConfigsRemainWithAliasReference() { + AuthenticatorConfigRepresentation authenticatorConfigRepresentation = new AuthenticatorConfigRepresentation(); + authenticatorConfigRepresentation.setAlias("config1"); + + AuthenticationFlowRepresentation authenticationFlowRepresentation = new AuthenticationFlowRepresentation(); + + AuthenticationExecutionExportRepresentation authenticationExecutionExportRepresentation = new AuthenticationExecutionExportRepresentation(); + authenticationExecutionExportRepresentation.setAuthenticatorConfig("config1"); + authenticationFlowRepresentation.setAuthenticationExecutions(List.of(authenticationExecutionExportRepresentation)); + + var resultingAuthConfig = service.normalizeAuthConfig(List.of(authenticatorConfigRepresentation), List.of(authenticationFlowRepresentation)); + + Assertions.assertThat(resultingAuthConfig).containsExactlyInAnyOrder(authenticatorConfigRepresentation); + } + + @Test + public void testNormalizeAuthConfigsCheckedForDuplicates(CapturedOutput output) { + AuthenticatorConfigRepresentation authenticatorConfigRepresentation1 = new AuthenticatorConfigRepresentation(); + authenticatorConfigRepresentation1.setId(UUID.randomUUID().toString()); + authenticatorConfigRepresentation1.setAlias("config1"); + + AuthenticatorConfigRepresentation authenticatorConfigRepresentation2 = new AuthenticatorConfigRepresentation(); + authenticatorConfigRepresentation2.setId(UUID.randomUUID().toString()); + authenticatorConfigRepresentation2.setAlias("config1"); + + AuthenticationFlowRepresentation authenticationFlowRepresentation = new AuthenticationFlowRepresentation(); + + AuthenticationExecutionExportRepresentation authenticationExecutionExportRepresentation = new AuthenticationExecutionExportRepresentation(); + authenticationExecutionExportRepresentation.setAuthenticatorConfig("config1"); + authenticationFlowRepresentation.setAuthenticationExecutions(List.of(authenticationExecutionExportRepresentation)); + + var resultingAuthConfig = service.normalizeAuthConfig(List.of(authenticatorConfigRepresentation1, authenticatorConfigRepresentation2), List.of(authenticationFlowRepresentation)); + + Assertions.assertThat(resultingAuthConfig).containsExactlyInAnyOrder(authenticatorConfigRepresentation1, authenticatorConfigRepresentation2); + Assertions.assertThat(output.getOut()).contains("The following authenticator configs are duplicates: [config1]"); + } +} diff --git a/src/test/java/de/adorsys/keycloak/config/service/normalize/AuthFlowNormalizationServiceFlowIT.java b/src/test/java/de/adorsys/keycloak/config/service/normalize/AuthFlowNormalizationServiceFlowIT.java new file mode 100644 index 000000000..9cf67c2dd --- /dev/null +++ b/src/test/java/de/adorsys/keycloak/config/service/normalize/AuthFlowNormalizationServiceFlowIT.java @@ -0,0 +1,72 @@ +/*- + * ---license-start + * keycloak-config-cli + * --- + * Copyright (C) 2017 - 2021 adorsys GmbH & Co. KG @ https://adorsys.com + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ +package de.adorsys.keycloak.config.service.normalize; + +import de.adorsys.keycloak.config.normalize.AbstractNormalizeTest; +import org.assertj.core.api.Assertions; +import org.junit.jupiter.api.Test; +import org.keycloak.representations.idm.AuthenticationFlowRepresentation; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.system.CapturedOutput; + +import java.util.ArrayList; +import java.util.List; + +class AuthFlowNormalizationServiceFlowIT extends AbstractNormalizeTest { + + @Autowired + AuthFlowNormalizationService service; + + + @Test + public void testNormalizeAuthFlows() { + var resultingAuthFlows = service.normalizeAuthFlows(new ArrayList<>(), new ArrayList<>()); + Assertions.assertThat(resultingAuthFlows).isNull(); + } + + @Test + public void testNormalizeAuthFlowsIgnoreBuiltInTrue() { + AuthenticationFlowRepresentation authenticationFlowRepresentation = new AuthenticationFlowRepresentation(); + authenticationFlowRepresentation.setBuiltIn(true); + + AuthenticationFlowRepresentation authenticationFlowRepresentationBaseline = new AuthenticationFlowRepresentation(); + authenticationFlowRepresentationBaseline.setBuiltIn(true); + + var resultingAuthFlows = service.normalizeAuthFlows(List.of(authenticationFlowRepresentation), List.of(authenticationFlowRepresentationBaseline)); + + Assertions.assertThat(resultingAuthFlows).isNull(); + } + + @Test + public void testNormalizeAuthFlowsIgnoreBuiltInTrueButBaselineHasEntryCreatesRecreationWarning(CapturedOutput output) { + AuthenticationFlowRepresentation authenticationFlowRepresentation = new AuthenticationFlowRepresentation(); + authenticationFlowRepresentation.setBuiltIn(true); + + AuthenticationFlowRepresentation authenticationFlowRepresentationBaseline = new AuthenticationFlowRepresentation(); + authenticationFlowRepresentationBaseline.setBuiltIn(false); + authenticationFlowRepresentationBaseline.setAlias("flow1"); + + var resultingAuthFlows = service.normalizeAuthFlows(List.of(authenticationFlowRepresentation), List.of(authenticationFlowRepresentationBaseline)); + + Assertions.assertThat(resultingAuthFlows).isNull(); + Assertions.assertThat(output.getOut()).contains("Default realm authentication flow 'flow1' was deleted in exported realm. It may be reintroduced during import"); + + } +} diff --git a/src/test/java/de/adorsys/keycloak/config/test/util/KeycloakAuthentication.java b/src/test/java/de/adorsys/keycloak/config/test/util/KeycloakAuthentication.java index fc51a9c29..0fd695d1b 100644 --- a/src/test/java/de/adorsys/keycloak/config/test/util/KeycloakAuthentication.java +++ b/src/test/java/de/adorsys/keycloak/config/test/util/KeycloakAuthentication.java @@ -24,9 +24,11 @@ import org.keycloak.admin.client.Keycloak; import org.keycloak.representations.AccessTokenResponse; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Component; @Component +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class KeycloakAuthentication { private final KeycloakConfigProperties keycloakConfigProperties; diff --git a/src/test/java/de/adorsys/keycloak/config/test/util/KeycloakRepository.java b/src/test/java/de/adorsys/keycloak/config/test/util/KeycloakRepository.java index 4e4c15260..4e5da67fa 100644 --- a/src/test/java/de/adorsys/keycloak/config/test/util/KeycloakRepository.java +++ b/src/test/java/de/adorsys/keycloak/config/test/util/KeycloakRepository.java @@ -24,6 +24,7 @@ import org.keycloak.admin.client.resource.UserResource; import org.keycloak.representations.idm.*; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Component; import java.util.List; @@ -34,6 +35,7 @@ import static org.hamcrest.Matchers.hasSize; @Component +@ConditionalOnProperty(prefix = "run", name = "operation", havingValue = "IMPORT", matchIfMissing = true) public class KeycloakRepository { private final KeycloakProvider keycloakProvider; diff --git a/src/test/resources/application-normalize-IT.properties b/src/test/resources/application-normalize-IT.properties new file mode 100644 index 000000000..77a36297e --- /dev/null +++ b/src/test/resources/application-normalize-IT.properties @@ -0,0 +1,3 @@ +run.operation=normalize +normalization.files.input-locations=default +normalization.files.output-directory=default-output diff --git a/src/test/resources/import-files/exported-realm/25.0.1/master-realm.json b/src/test/resources/import-files/exported-realm/25.0.1/master-realm.json index 0b3fba793..6856d9e6c 100644 --- a/src/test/resources/import-files/exported-realm/25.0.1/master-realm.json +++ b/src/test/resources/import-files/exported-realm/25.0.1/master-realm.json @@ -1,5 +1,5 @@ { - "id" : "758ff4fc-bf09-403b-adbe-c9a56cadd5d3", + "id" : "6219f172-5cbc-40f1-99fc-74218bbb2642", "realm" : "master", "displayName" : "Keycloak", "displayNameHtml" : "
Keycloak
", @@ -48,56 +48,56 @@ "failureFactor" : 30, "roles" : { "realm" : [ { - "id" : "53a94a55-01b7-4ac3-97a1-1df924dfcf05", - "name" : "admin", - "description" : "${role_admin}", - "composite" : true, - "composites" : { - "realm" : [ "create-realm" ], - "client" : { - "master-realm" : [ "view-identity-providers", "manage-realm", "view-authorization", "query-realms", "manage-users", "query-groups", "manage-events", "impersonation", "create-client", "view-users", "manage-authorization", "manage-clients", "manage-identity-providers", "view-events", "query-clients", "view-realm", "query-users", "view-clients" ] - } - }, + "id" : "6adf69e5-3f69-4ae0-b2f9-6bf3663f10df", + "name" : "create-realm", + "description" : "${role_create-realm}", + "composite" : false, "clientRole" : false, - "containerId" : "758ff4fc-bf09-403b-adbe-c9a56cadd5d3", + "containerId" : "6219f172-5cbc-40f1-99fc-74218bbb2642", "attributes" : { } }, { - "id" : "1d93addd-604f-4388-bff2-48849ce0317c", - "name" : "default-roles-master", - "description" : "${role_default-roles}", + "id" : "bb03f721-bd79-4a61-97a5-963ed89fffc2", + "name" : "admin", + "description" : "${role_admin}", "composite" : true, "composites" : { - "realm" : [ "offline_access", "uma_authorization" ], + "realm" : [ "create-realm" ], "client" : { - "account" : [ "manage-account", "view-profile" ] + "master-realm" : [ "view-realm", "query-groups", "view-identity-providers", "view-users", "manage-clients", "impersonation", "view-events", "view-authorization", "create-client", "manage-identity-providers", "query-users", "manage-events", "manage-realm", "view-clients", "query-clients", "manage-users", "query-realms", "manage-authorization" ] } }, "clientRole" : false, - "containerId" : "758ff4fc-bf09-403b-adbe-c9a56cadd5d3", + "containerId" : "6219f172-5cbc-40f1-99fc-74218bbb2642", "attributes" : { } }, { - "id" : "9b065c78-db9e-4183-b94c-32e4e938e753", + "id" : "a679e5c1-976e-48bf-9082-02d743a9e589", "name" : "uma_authorization", "description" : "${role_uma_authorization}", "composite" : false, "clientRole" : false, - "containerId" : "758ff4fc-bf09-403b-adbe-c9a56cadd5d3", + "containerId" : "6219f172-5cbc-40f1-99fc-74218bbb2642", "attributes" : { } }, { - "id" : "98701e4d-2cb1-4916-b6c1-3a1e5fa8b98f", - "name" : "create-realm", - "description" : "${role_create-realm}", + "id" : "ac87814d-ff14-4e9d-8868-b266c437e6d6", + "name" : "offline_access", + "description" : "${role_offline-access}", "composite" : false, "clientRole" : false, - "containerId" : "758ff4fc-bf09-403b-adbe-c9a56cadd5d3", + "containerId" : "6219f172-5cbc-40f1-99fc-74218bbb2642", "attributes" : { } }, { - "id" : "868a6403-4176-49bf-a0e7-57f97f738a93", - "name" : "offline_access", - "description" : "${role_offline-access}", - "composite" : false, + "id" : "0de3d9a9-ce18-4638-806f-a96e61e93e62", + "name" : "default-roles-master", + "description" : "${role_default-roles}", + "composite" : true, + "composites" : { + "realm" : [ "offline_access", "uma_authorization" ], + "client" : { + "account" : [ "view-profile", "manage-account" ] + } + }, "clientRole" : false, - "containerId" : "758ff4fc-bf09-403b-adbe-c9a56cadd5d3", + "containerId" : "6219f172-5cbc-40f1-99fc-74218bbb2642", "attributes" : { } } ], "client" : { @@ -105,254 +105,254 @@ "admin-cli" : [ ], "account-console" : [ ], "broker" : [ { - "id" : "a6139113-e9c8-4343-9de3-3a46d4c4efe7", + "id" : "79f6152f-2a01-49de-9bda-217c8dc37ed9", "name" : "read-token", "description" : "${role_read-token}", "composite" : false, "clientRole" : true, - "containerId" : "6b259285-42b1-430f-b619-b83ca1b86e14", + "containerId" : "7000b14a-6262-498a-a2f5-244e4678377b", "attributes" : { } } ], "master-realm" : [ { - "id" : "a163010b-6b99-4f2e-abe3-7f36ba5f5216", - "name" : "manage-realm", - "description" : "${role_manage-realm}", + "id" : "c392c688-47d7-437b-adec-22136507b23f", + "name" : "view-realm", + "description" : "${role_view-realm}", "composite" : false, "clientRole" : true, - "containerId" : "01702696-84f2-4815-9385-493495f5542e", + "containerId" : "4d54a69f-edc0-40da-a0e1-5a8f136913e6", "attributes" : { } }, { - "id" : "2c6efea3-2979-45e8-b10a-b95ececa0a25", - "name" : "view-identity-providers", - "description" : "${role_view-identity-providers}", + "id" : "67373ba8-2fef-486f-a073-f70fe6ff2d40", + "name" : "query-groups", + "description" : "${role_query-groups}", "composite" : false, "clientRole" : true, - "containerId" : "01702696-84f2-4815-9385-493495f5542e", + "containerId" : "4d54a69f-edc0-40da-a0e1-5a8f136913e6", "attributes" : { } }, { - "id" : "e978f2e8-76ed-45cf-a23e-66ee5cbc95b8", - "name" : "view-authorization", - "description" : "${role_view-authorization}", + "id" : "ceb4d197-4bcc-47e8-8a01-23cdbf866d99", + "name" : "manage-clients", + "description" : "${role_manage-clients}", "composite" : false, "clientRole" : true, - "containerId" : "01702696-84f2-4815-9385-493495f5542e", + "containerId" : "4d54a69f-edc0-40da-a0e1-5a8f136913e6", "attributes" : { } }, { - "id" : "b548358b-4380-4e03-bb26-06b3411b19ad", - "name" : "query-realms", - "description" : "${role_query-realms}", + "id" : "1cbe7eae-2531-4886-8e15-4ebcb64f4d6a", + "name" : "view-identity-providers", + "description" : "${role_view-identity-providers}", "composite" : false, "clientRole" : true, - "containerId" : "01702696-84f2-4815-9385-493495f5542e", + "containerId" : "4d54a69f-edc0-40da-a0e1-5a8f136913e6", "attributes" : { } }, { - "id" : "9cb299ae-2994-4d56-afab-1de48dcceb40", - "name" : "manage-users", - "description" : "${role_manage-users}", - "composite" : false, + "id" : "7f84085d-61a9-48ea-9413-f1a6cf624de3", + "name" : "view-users", + "description" : "${role_view-users}", + "composite" : true, + "composites" : { + "client" : { + "master-realm" : [ "query-users", "query-groups" ] + } + }, "clientRole" : true, - "containerId" : "01702696-84f2-4815-9385-493495f5542e", + "containerId" : "4d54a69f-edc0-40da-a0e1-5a8f136913e6", "attributes" : { } }, { - "id" : "97eb77cd-1b31-4c65-a259-e223625d3f57", - "name" : "query-groups", - "description" : "${role_query-groups}", + "id" : "90844634-3048-4978-9627-850fd860cff9", + "name" : "impersonation", + "description" : "${role_impersonation}", "composite" : false, "clientRole" : true, - "containerId" : "01702696-84f2-4815-9385-493495f5542e", + "containerId" : "4d54a69f-edc0-40da-a0e1-5a8f136913e6", "attributes" : { } }, { - "id" : "87209a50-c857-4c25-927c-e99894473644", - "name" : "manage-events", - "description" : "${role_manage-events}", + "id" : "c3f0eca1-d6f3-444e-af5f-f5d06aae2109", + "name" : "view-events", + "description" : "${role_view-events}", "composite" : false, "clientRole" : true, - "containerId" : "01702696-84f2-4815-9385-493495f5542e", + "containerId" : "4d54a69f-edc0-40da-a0e1-5a8f136913e6", "attributes" : { } }, { - "id" : "2cc052ac-aa7f-4b7f-a214-90970e1796fd", - "name" : "impersonation", - "description" : "${role_impersonation}", + "id" : "25add48d-8b05-4e38-a186-1b87bb6e41d8", + "name" : "view-authorization", + "description" : "${role_view-authorization}", "composite" : false, "clientRole" : true, - "containerId" : "01702696-84f2-4815-9385-493495f5542e", + "containerId" : "4d54a69f-edc0-40da-a0e1-5a8f136913e6", "attributes" : { } }, { - "id" : "3346327d-b28e-4953-8221-f2df72921c57", + "id" : "f4982c2e-16eb-4952-a89d-baedccef43ee", "name" : "create-client", "description" : "${role_create-client}", "composite" : false, "clientRole" : true, - "containerId" : "01702696-84f2-4815-9385-493495f5542e", + "containerId" : "4d54a69f-edc0-40da-a0e1-5a8f136913e6", "attributes" : { } }, { - "id" : "c1acb6df-0a73-4c25-a60c-ef3056402f0c", - "name" : "view-users", - "description" : "${role_view-users}", - "composite" : true, - "composites" : { - "client" : { - "master-realm" : [ "query-groups", "query-users" ] - } - }, + "id" : "f86aba84-f00c-4e7f-b61a-69b904407054", + "name" : "manage-identity-providers", + "description" : "${role_manage-identity-providers}", + "composite" : false, "clientRole" : true, - "containerId" : "01702696-84f2-4815-9385-493495f5542e", + "containerId" : "4d54a69f-edc0-40da-a0e1-5a8f136913e6", "attributes" : { } }, { - "id" : "63b51825-4b31-4202-aa8d-3bcff3a32e81", - "name" : "manage-authorization", - "description" : "${role_manage-authorization}", + "id" : "af9bd51e-4ea8-4f76-a6e4-24a3c185199a", + "name" : "query-users", + "description" : "${role_query-users}", "composite" : false, "clientRole" : true, - "containerId" : "01702696-84f2-4815-9385-493495f5542e", + "containerId" : "4d54a69f-edc0-40da-a0e1-5a8f136913e6", "attributes" : { } }, { - "id" : "972d72c4-1f32-4820-88c8-cecca886f210", - "name" : "manage-clients", - "description" : "${role_manage-clients}", + "id" : "f5f10511-8bb2-42c0-9c29-e65704de7975", + "name" : "manage-events", + "description" : "${role_manage-events}", "composite" : false, "clientRole" : true, - "containerId" : "01702696-84f2-4815-9385-493495f5542e", + "containerId" : "4d54a69f-edc0-40da-a0e1-5a8f136913e6", "attributes" : { } }, { - "id" : "a859851a-ad17-44f8-a166-976a7f747dc9", - "name" : "manage-identity-providers", - "description" : "${role_manage-identity-providers}", + "id" : "639eb9ed-6a64-4c39-9fbb-62eab53f8757", + "name" : "manage-realm", + "description" : "${role_manage-realm}", "composite" : false, "clientRole" : true, - "containerId" : "01702696-84f2-4815-9385-493495f5542e", + "containerId" : "4d54a69f-edc0-40da-a0e1-5a8f136913e6", "attributes" : { } }, { - "id" : "ae843368-1257-444d-8bd9-5e7bca083c9c", - "name" : "view-events", - "description" : "${role_view-events}", - "composite" : false, + "id" : "6528f9b3-441b-4804-a1ce-e49800180828", + "name" : "view-clients", + "description" : "${role_view-clients}", + "composite" : true, + "composites" : { + "client" : { + "master-realm" : [ "query-clients" ] + } + }, "clientRole" : true, - "containerId" : "01702696-84f2-4815-9385-493495f5542e", + "containerId" : "4d54a69f-edc0-40da-a0e1-5a8f136913e6", "attributes" : { } }, { - "id" : "54aeb96f-1659-44d0-b04a-8b6b4a366b86", + "id" : "8806c16d-f477-4961-822f-84a85943d1a5", "name" : "query-clients", "description" : "${role_query-clients}", "composite" : false, "clientRole" : true, - "containerId" : "01702696-84f2-4815-9385-493495f5542e", + "containerId" : "4d54a69f-edc0-40da-a0e1-5a8f136913e6", "attributes" : { } }, { - "id" : "4005abb7-7e93-4d21-abd6-2831ac384d38", - "name" : "view-realm", - "description" : "${role_view-realm}", + "id" : "d49309b7-e9db-44d1-bb2a-9400749b2cba", + "name" : "manage-users", + "description" : "${role_manage-users}", "composite" : false, "clientRole" : true, - "containerId" : "01702696-84f2-4815-9385-493495f5542e", + "containerId" : "4d54a69f-edc0-40da-a0e1-5a8f136913e6", "attributes" : { } }, { - "id" : "119041e5-873f-4e61-a507-8e34e4a29c83", - "name" : "query-users", - "description" : "${role_query-users}", + "id" : "b248d6b9-88a9-446c-b342-cffa0c0e1c68", + "name" : "manage-authorization", + "description" : "${role_manage-authorization}", "composite" : false, "clientRole" : true, - "containerId" : "01702696-84f2-4815-9385-493495f5542e", + "containerId" : "4d54a69f-edc0-40da-a0e1-5a8f136913e6", "attributes" : { } }, { - "id" : "6582bf22-fb94-4c3d-9269-3ba600b6a3a1", - "name" : "view-clients", - "description" : "${role_view-clients}", - "composite" : true, - "composites" : { - "client" : { - "master-realm" : [ "query-clients" ] - } - }, + "id" : "649be7d5-0867-4239-823e-1a52009723a0", + "name" : "query-realms", + "description" : "${role_query-realms}", + "composite" : false, "clientRole" : true, - "containerId" : "01702696-84f2-4815-9385-493495f5542e", + "containerId" : "4d54a69f-edc0-40da-a0e1-5a8f136913e6", "attributes" : { } } ], "account" : [ { - "id" : "5319ddd7-6971-4022-b43a-30ee6029d25d", - "name" : "manage-consent", - "description" : "${role_manage-consent}", + "id" : "00f89d17-5a26-43b4-978d-0bdf53aff4c2", + "name" : "view-profile", + "description" : "${role_view-profile}", + "composite" : false, + "clientRole" : true, + "containerId" : "0db272fc-6ba8-45fc-b64a-ec0f21ab60c7", + "attributes" : { } + }, { + "id" : "4bef4c6e-b8b4-48b5-9da9-6997e5b1c736", + "name" : "manage-account", + "description" : "${role_manage-account}", "composite" : true, "composites" : { "client" : { - "account" : [ "view-consent" ] + "account" : [ "manage-account-links" ] } }, "clientRole" : true, - "containerId" : "3dca789b-ddb0-4882-9dc3-9162dbce1a34", + "containerId" : "0db272fc-6ba8-45fc-b64a-ec0f21ab60c7", "attributes" : { } }, { - "id" : "8a61a541-f46c-406a-8d50-0dcd3821ad19", - "name" : "manage-account", - "description" : "${role_manage-account}", + "id" : "4ee3ca7d-80d3-48a9-8abc-a81810f8a54d", + "name" : "manage-consent", + "description" : "${role_manage-consent}", "composite" : true, "composites" : { "client" : { - "account" : [ "manage-account-links" ] + "account" : [ "view-consent" ] } }, "clientRole" : true, - "containerId" : "3dca789b-ddb0-4882-9dc3-9162dbce1a34", + "containerId" : "0db272fc-6ba8-45fc-b64a-ec0f21ab60c7", "attributes" : { } }, { - "id" : "91b1cb2f-7fba-40e5-9988-b43d4ebb25d9", - "name" : "manage-account-links", - "description" : "${role_manage-account-links}", + "id" : "b9b776b4-6b04-469f-ab21-5afb25b1c77d", + "name" : "delete-account", + "description" : "${role_delete-account}", "composite" : false, "clientRole" : true, - "containerId" : "3dca789b-ddb0-4882-9dc3-9162dbce1a34", + "containerId" : "0db272fc-6ba8-45fc-b64a-ec0f21ab60c7", "attributes" : { } }, { - "id" : "18cdd8ee-f35c-40e6-a09a-5743388b6f18", + "id" : "c827cdf1-85c9-4e89-a71e-dff5bd5efb3d", "name" : "view-applications", "description" : "${role_view-applications}", "composite" : false, "clientRole" : true, - "containerId" : "3dca789b-ddb0-4882-9dc3-9162dbce1a34", + "containerId" : "0db272fc-6ba8-45fc-b64a-ec0f21ab60c7", "attributes" : { } }, { - "id" : "346078cb-e7e0-45f8-b738-1bf58b02251d", - "name" : "view-profile", - "description" : "${role_view-profile}", + "id" : "8517234d-dc7e-4902-b51b-d1e4084388dd", + "name" : "view-groups", + "description" : "${role_view-groups}", "composite" : false, "clientRole" : true, - "containerId" : "3dca789b-ddb0-4882-9dc3-9162dbce1a34", + "containerId" : "0db272fc-6ba8-45fc-b64a-ec0f21ab60c7", "attributes" : { } }, { - "id" : "518fb059-94bd-4b76-96b4-8c08381ceab8", - "name" : "delete-account", - "description" : "${role_delete-account}", + "id" : "558181c3-87d7-4e45-a4bf-f794c2fec2bb", + "name" : "manage-account-links", + "description" : "${role_manage-account-links}", "composite" : false, "clientRole" : true, - "containerId" : "3dca789b-ddb0-4882-9dc3-9162dbce1a34", + "containerId" : "0db272fc-6ba8-45fc-b64a-ec0f21ab60c7", "attributes" : { } }, { - "id" : "7d8f33e0-f53a-4d5a-9e0d-422a245cb236", + "id" : "fd7dd764-fc90-41da-8d03-dac55062f432", "name" : "view-consent", "description" : "${role_view-consent}", "composite" : false, "clientRole" : true, - "containerId" : "3dca789b-ddb0-4882-9dc3-9162dbce1a34", - "attributes" : { } - }, { - "id" : "717fdfe3-4d46-4d23-8248-5b06b73a5d26", - "name" : "view-groups", - "description" : "${role_view-groups}", - "composite" : false, - "clientRole" : true, - "containerId" : "3dca789b-ddb0-4882-9dc3-9162dbce1a34", + "containerId" : "0db272fc-6ba8-45fc-b64a-ec0f21ab60c7", "attributes" : { } } ] } }, "groups" : [ ], "defaultRole" : { - "id" : "1d93addd-604f-4388-bff2-48849ce0317c", + "id" : "0de3d9a9-ce18-4638-806f-a96e61e93e62", "name" : "default-roles-master", "description" : "${role_default-roles}", "composite" : true, "clientRole" : false, - "containerId" : "758ff4fc-bf09-403b-adbe-c9a56cadd5d3" + "containerId" : "6219f172-5cbc-40f1-99fc-74218bbb2642" }, "requiredCredentials" : [ "password" ], "otpPolicyType" : "totp", @@ -397,7 +397,7 @@ } ] }, "clients" : [ { - "id" : "3dca789b-ddb0-4882-9dc3-9162dbce1a34", + "id" : "0db272fc-6ba8-45fc-b64a-ec0f21ab60c7", "clientId" : "account", "name" : "${client_account}", "rootUrl" : "${authBaseUrl}", @@ -424,10 +424,10 @@ "authenticationFlowBindingOverrides" : { }, "fullScopeAllowed" : false, "nodeReRegistrationTimeout" : 0, - "defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "basic", "email" ], + "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "basic", "email" ], "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] }, { - "id" : "fcc26741-1267-44df-880c-0db1273037db", + "id" : "4b5a85e3-b814-4490-a08f-450411a65f38", "clientId" : "account-console", "name" : "${client_account-console}", "rootUrl" : "${authBaseUrl}", @@ -456,17 +456,17 @@ "fullScopeAllowed" : false, "nodeReRegistrationTimeout" : 0, "protocolMappers" : [ { - "id" : "5f785b3b-9c2f-40d6-a090-2391dec074c5", + "id" : "cff0218a-6481-4a33-9a1d-35ffe3b9b532", "name" : "audience resolve", "protocol" : "openid-connect", "protocolMapper" : "oidc-audience-resolve-mapper", "consentRequired" : false, "config" : { } } ], - "defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "basic", "email" ], + "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "basic", "email" ], "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] }, { - "id" : "eca9e50a-1405-4a18-ba60-50079856d282", + "id" : "ba46734c-078a-45a4-9ab6-6462abee8aca", "clientId" : "admin-cli", "name" : "${client_admin-cli}", "surrogateAuthRequired" : false, @@ -489,10 +489,10 @@ "authenticationFlowBindingOverrides" : { }, "fullScopeAllowed" : false, "nodeReRegistrationTimeout" : 0, - "defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "basic", "email" ], + "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "basic", "email" ], "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] }, { - "id" : "6b259285-42b1-430f-b619-b83ca1b86e14", + "id" : "7000b14a-6262-498a-a2f5-244e4678377b", "clientId" : "broker", "name" : "${client_broker}", "surrogateAuthRequired" : false, @@ -515,10 +515,10 @@ "authenticationFlowBindingOverrides" : { }, "fullScopeAllowed" : false, "nodeReRegistrationTimeout" : 0, - "defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "basic", "email" ], + "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "basic", "email" ], "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] }, { - "id" : "01702696-84f2-4815-9385-493495f5542e", + "id" : "4d54a69f-edc0-40da-a0e1-5a8f136913e6", "clientId" : "master-realm", "name" : "master Realm", "surrogateAuthRequired" : false, @@ -540,10 +540,10 @@ "authenticationFlowBindingOverrides" : { }, "fullScopeAllowed" : false, "nodeReRegistrationTimeout" : 0, - "defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "basic", "email" ], + "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "basic", "email" ], "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] }, { - "id" : "6a9e0ce9-0ceb-4bf4-9c12-245996c2d202", + "id" : "cd6fc819-1bd0-4173-974a-cee8ad45e24b", "clientId" : "security-admin-console", "name" : "${client_security-admin-console}", "rootUrl" : "${authAdminUrl}", @@ -572,7 +572,7 @@ "fullScopeAllowed" : false, "nodeReRegistrationTimeout" : 0, "protocolMappers" : [ { - "id" : "686aee26-100e-40f9-bff6-f09f38a48f17", + "id" : "5dd33aa0-3f10-4d21-a911-9849fd1d51c8", "name" : "locale", "protocol" : "openid-connect", "protocolMapper" : "oidc-usermodel-attribute-mapper", @@ -587,182 +587,214 @@ "jsonType.label" : "String" } } ], - "defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "basic", "email" ], + "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "basic", "email" ], "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] } ], "clientScopes" : [ { - "id" : "899b0c35-7ed6-4898-a421-a7472af73c2f", - "name" : "email", - "description" : "OpenID Connect built-in scope: email", + "id" : "aae7ae1c-e7b8-44a1-8b7c-a0b1784025af", + "name" : "roles", + "description" : "OpenID Connect scope for add user roles to the access token", "protocol" : "openid-connect", "attributes" : { - "include.in.token.scope" : "true", - "consent.screen.text" : "${emailScopeConsentText}", + "include.in.token.scope" : "false", + "consent.screen.text" : "${rolesScopeConsentText}", "display.on.consent.screen" : "true" }, "protocolMappers" : [ { - "id" : "a2122fd7-8d95-4221-8928-0681c1403d30", - "name" : "email", + "id" : "a4387c51-3ae8-4afc-856b-fc7779bd4684", + "name" : "audience resolve", "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", + "protocolMapper" : "oidc-audience-resolve-mapper", "consentRequired" : false, "config" : { "introspection.token.claim" : "true", - "userinfo.token.claim" : "true", - "user.attribute" : "email", - "id.token.claim" : "true", + "access.token.claim" : "true" + } + }, { + "id" : "ebe74b14-fcf7-401d-94dd-493344976566", + "name" : "realm roles", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-realm-role-mapper", + "consentRequired" : false, + "config" : { + "user.attribute" : "foo", + "introspection.token.claim" : "true", "access.token.claim" : "true", - "claim.name" : "email", - "jsonType.label" : "String" + "claim.name" : "realm_access.roles", + "jsonType.label" : "String", + "multivalued" : "true" } }, { - "id" : "f8a0e045-fb36-4a13-8c2e-34831232676a", - "name" : "email verified", + "id" : "23becefb-f723-45f8-a10b-8bd038464259", + "name" : "client roles", "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-property-mapper", + "protocolMapper" : "oidc-usermodel-client-role-mapper", "consentRequired" : false, "config" : { + "user.attribute" : "foo", "introspection.token.claim" : "true", - "userinfo.token.claim" : "true", - "user.attribute" : "emailVerified", - "id.token.claim" : "true", "access.token.claim" : "true", - "claim.name" : "email_verified", - "jsonType.label" : "boolean" + "claim.name" : "resource_access.${client_id}.roles", + "jsonType.label" : "String", + "multivalued" : "true" } } ] }, { - "id" : "26251e40-1e68-4e9f-a09d-8e974d8a0f83", - "name" : "profile", - "description" : "OpenID Connect built-in scope: profile", + "id" : "1374660d-88db-4973-b069-4bca7ff7fcaa", + "name" : "address", + "description" : "OpenID Connect built-in scope: address", "protocol" : "openid-connect", "attributes" : { "include.in.token.scope" : "true", - "consent.screen.text" : "${profileScopeConsentText}", + "consent.screen.text" : "${addressScopeConsentText}", "display.on.consent.screen" : "true" }, "protocolMappers" : [ { - "id" : "3546bbbe-28dc-4d24-98fe-25b6d976bba7", - "name" : "birthdate", + "id" : "dc13ff65-fdb1-433c-864a-e9e417a020ef", + "name" : "address", "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", + "protocolMapper" : "oidc-address-mapper", "consentRequired" : false, "config" : { + "user.attribute.formatted" : "formatted", + "user.attribute.country" : "country", "introspection.token.claim" : "true", + "user.attribute.postal_code" : "postal_code", "userinfo.token.claim" : "true", - "user.attribute" : "birthdate", + "user.attribute.street" : "street", "id.token.claim" : "true", + "user.attribute.region" : "region", "access.token.claim" : "true", - "claim.name" : "birthdate", - "jsonType.label" : "String" + "user.attribute.locality" : "locality" } - }, { - "id" : "cea32932-d177-4a97-bf90-2470c7cea25c", - "name" : "updated at", + } ] + }, { + "id" : "2f39e5ff-3645-42de-bfbd-61c5e9e97444", + "name" : "microprofile-jwt", + "description" : "Microprofile - JWT built-in scope", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "false" + }, + "protocolMappers" : [ { + "id" : "5613edc2-0440-4b67-a2cf-4fa42de6edd6", + "name" : "groups", "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", + "protocolMapper" : "oidc-usermodel-realm-role-mapper", "consentRequired" : false, "config" : { "introspection.token.claim" : "true", - "userinfo.token.claim" : "true", - "user.attribute" : "updatedAt", + "multivalued" : "true", + "user.attribute" : "foo", "id.token.claim" : "true", "access.token.claim" : "true", - "claim.name" : "updated_at", - "jsonType.label" : "long" + "claim.name" : "groups", + "jsonType.label" : "String" } }, { - "id" : "715e18d7-6065-4d3e-84e9-e0e132abac95", - "name" : "website", + "id" : "aed0d46f-b959-44d9-b816-277adb346924", + "name" : "upn", "protocol" : "openid-connect", "protocolMapper" : "oidc-usermodel-attribute-mapper", "consentRequired" : false, "config" : { "introspection.token.claim" : "true", "userinfo.token.claim" : "true", - "user.attribute" : "website", + "user.attribute" : "username", "id.token.claim" : "true", "access.token.claim" : "true", - "claim.name" : "website", + "claim.name" : "upn", "jsonType.label" : "String" } - }, { - "id" : "e75bbc3d-af42-401c-874f-52a4f93cc87e", - "name" : "locale", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { - "introspection.token.claim" : "true", + } ] + }, { + "id" : "c5f49220-a07e-44aa-a0a3-938a935fa84a", + "name" : "profile", + "description" : "OpenID Connect built-in scope: profile", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "consent.screen.text" : "${profileScopeConsentText}", + "display.on.consent.screen" : "true" + }, + "protocolMappers" : [ { + "id" : "79aba687-365d-4a32-9993-085e17be0357", + "name" : "given name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "introspection.token.claim" : "true", "userinfo.token.claim" : "true", - "user.attribute" : "locale", + "user.attribute" : "firstName", "id.token.claim" : "true", "access.token.claim" : "true", - "claim.name" : "locale", + "claim.name" : "given_name", "jsonType.label" : "String" } }, { - "id" : "85a3678d-781f-4720-abc7-b7644d00c190", - "name" : "given name", + "id" : "e357d5ad-aaac-4763-b30a-0483e21fe170", + "name" : "username", "protocol" : "openid-connect", "protocolMapper" : "oidc-usermodel-attribute-mapper", "consentRequired" : false, "config" : { "introspection.token.claim" : "true", "userinfo.token.claim" : "true", - "user.attribute" : "firstName", + "user.attribute" : "username", "id.token.claim" : "true", "access.token.claim" : "true", - "claim.name" : "given_name", + "claim.name" : "preferred_username", "jsonType.label" : "String" } }, { - "id" : "2cf08e4b-96c9-4d1c-8dda-972fcb31ddc1", - "name" : "family name", + "id" : "4978de55-9d4c-44ef-b090-60cfe0107094", + "name" : "updated at", "protocol" : "openid-connect", "protocolMapper" : "oidc-usermodel-attribute-mapper", "consentRequired" : false, "config" : { "introspection.token.claim" : "true", "userinfo.token.claim" : "true", - "user.attribute" : "lastName", + "user.attribute" : "updatedAt", "id.token.claim" : "true", "access.token.claim" : "true", - "claim.name" : "family_name", - "jsonType.label" : "String" + "claim.name" : "updated_at", + "jsonType.label" : "long" } }, { - "id" : "3ffa4a0a-b80f-49ca-af51-1914071f38cb", - "name" : "username", + "id" : "a068f777-29aa-498d-8bd5-114e3324463a", + "name" : "website", "protocol" : "openid-connect", "protocolMapper" : "oidc-usermodel-attribute-mapper", "consentRequired" : false, "config" : { "introspection.token.claim" : "true", "userinfo.token.claim" : "true", - "user.attribute" : "username", + "user.attribute" : "website", "id.token.claim" : "true", "access.token.claim" : "true", - "claim.name" : "preferred_username", + "claim.name" : "website", "jsonType.label" : "String" } }, { - "id" : "313e8b54-2446-4279-a2b0-1d0436ecd83b", - "name" : "middle name", + "id" : "70882b82-8ac2-4014-926b-900e2b5dea9a", + "name" : "profile", "protocol" : "openid-connect", "protocolMapper" : "oidc-usermodel-attribute-mapper", "consentRequired" : false, "config" : { "introspection.token.claim" : "true", "userinfo.token.claim" : "true", - "user.attribute" : "middleName", + "user.attribute" : "profile", "id.token.claim" : "true", "access.token.claim" : "true", - "claim.name" : "middle_name", + "claim.name" : "profile", "jsonType.label" : "String" } }, { - "id" : "92e5dbd5-f2ab-42d7-a297-4c1fcf3b4fb5", + "id" : "c3817b85-b874-4fef-8aa3-551df9fd82bf", "name" : "full name", "protocol" : "openid-connect", "protocolMapper" : "oidc-full-name-mapper", @@ -774,22 +806,22 @@ "userinfo.token.claim" : "true" } }, { - "id" : "888ae77e-149f-4e61-9b57-b977df391261", - "name" : "picture", + "id" : "91b49f55-c0da-4bc4-a011-07239c9af877", + "name" : "middle name", "protocol" : "openid-connect", "protocolMapper" : "oidc-usermodel-attribute-mapper", "consentRequired" : false, "config" : { "introspection.token.claim" : "true", "userinfo.token.claim" : "true", - "user.attribute" : "picture", + "user.attribute" : "middleName", "id.token.claim" : "true", "access.token.claim" : "true", - "claim.name" : "picture", + "claim.name" : "middle_name", "jsonType.label" : "String" } }, { - "id" : "8d9a48f6-9891-4096-b154-5ff53e4a92fb", + "id" : "a0c47ed4-638a-4249-af90-2ac1d041ba8f", "name" : "gender", "protocol" : "openid-connect", "protocolMapper" : "oidc-usermodel-attribute-mapper", @@ -804,96 +836,98 @@ "jsonType.label" : "String" } }, { - "id" : "8d465f23-2d9d-4eba-89ef-beea34735658", - "name" : "nickname", + "id" : "5e321f9d-2580-44b4-9b6e-8c06518235a6", + "name" : "zoneinfo", "protocol" : "openid-connect", "protocolMapper" : "oidc-usermodel-attribute-mapper", "consentRequired" : false, "config" : { "introspection.token.claim" : "true", "userinfo.token.claim" : "true", - "user.attribute" : "nickname", + "user.attribute" : "zoneinfo", "id.token.claim" : "true", "access.token.claim" : "true", - "claim.name" : "nickname", + "claim.name" : "zoneinfo", "jsonType.label" : "String" } }, { - "id" : "846fc3d1-6e0d-47fc-ab57-bba15b77c8be", - "name" : "profile", + "id" : "ce6c6755-9351-4a3f-ac73-efc071ef225a", + "name" : "locale", "protocol" : "openid-connect", "protocolMapper" : "oidc-usermodel-attribute-mapper", "consentRequired" : false, "config" : { "introspection.token.claim" : "true", "userinfo.token.claim" : "true", - "user.attribute" : "profile", + "user.attribute" : "locale", "id.token.claim" : "true", "access.token.claim" : "true", - "claim.name" : "profile", + "claim.name" : "locale", "jsonType.label" : "String" } }, { - "id" : "9665ff98-2323-4d76-8c68-af8fbc0b049a", - "name" : "zoneinfo", + "id" : "302b2116-26fe-4b51-bf38-b43942e08afe", + "name" : "birthdate", "protocol" : "openid-connect", "protocolMapper" : "oidc-usermodel-attribute-mapper", "consentRequired" : false, "config" : { "introspection.token.claim" : "true", "userinfo.token.claim" : "true", - "user.attribute" : "zoneinfo", + "user.attribute" : "birthdate", "id.token.claim" : "true", "access.token.claim" : "true", - "claim.name" : "zoneinfo", + "claim.name" : "birthdate", "jsonType.label" : "String" } - } ] - }, { - "id" : "5da42d73-cd9c-4867-9aa2-92074e8f8ab4", - "name" : "basic", - "description" : "OpenID Connect scope for add all basic claims to the token", - "protocol" : "openid-connect", - "attributes" : { - "include.in.token.scope" : "false", - "display.on.consent.screen" : "false" - }, - "protocolMappers" : [ { - "id" : "65e5ca75-9ad9-4ed9-b69b-aa71967d8a63", - "name" : "sub", + }, { + "id" : "92438586-bc3e-48e9-a4c5-ca16b7970be0", + "name" : "family name", "protocol" : "openid-connect", - "protocolMapper" : "oidc-sub-mapper", + "protocolMapper" : "oidc-usermodel-attribute-mapper", "consentRequired" : false, "config" : { "introspection.token.claim" : "true", - "access.token.claim" : "true" + "userinfo.token.claim" : "true", + "user.attribute" : "lastName", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "family_name", + "jsonType.label" : "String" } }, { - "id" : "acc79e05-b344-43b3-918b-2832585bde15", - "name" : "auth_time", + "id" : "8c61c413-c9f2-4c11-8764-930d9941b5ae", + "name" : "nickname", "protocol" : "openid-connect", - "protocolMapper" : "oidc-usersessionmodel-note-mapper", + "protocolMapper" : "oidc-usermodel-attribute-mapper", "consentRequired" : false, "config" : { - "user.session.note" : "AUTH_TIME", + "introspection.token.claim" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "nickname", "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "nickname", + "jsonType.label" : "String" + } + }, { + "id" : "491ee6ac-8ef2-48bc-b246-e55c37f59add", + "name" : "picture", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { "introspection.token.claim" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "picture", + "id.token.claim" : "true", "access.token.claim" : "true", - "claim.name" : "auth_time", - "jsonType.label" : "long" + "claim.name" : "picture", + "jsonType.label" : "String" } } ] }, { - "id" : "320b51af-0c74-4d71-b6f4-dc262b4297f9", - "name" : "offline_access", - "description" : "OpenID Connect built-in scope: offline_access", - "protocol" : "openid-connect", - "attributes" : { - "consent.screen.text" : "${offlineAccessScopeConsentText}", - "display.on.consent.screen" : "true" - } - }, { - "id" : "84bb2402-4693-4078-9cf0-8d8fa2d09408", + "id" : "85a4c487-8c44-4f76-b410-4a27c4083f47", "name" : "phone", "description" : "OpenID Connect built-in scope: phone", "protocol" : "openid-connect", @@ -903,7 +937,7 @@ "display.on.consent.screen" : "true" }, "protocolMappers" : [ { - "id" : "b5f014fb-0ab0-48cf-a676-8e1c5dadef0b", + "id" : "d6b080b8-3d56-4e43-acb1-3c1b070fe8af", "name" : "phone number", "protocol" : "openid-connect", "protocolMapper" : "oidc-usermodel-attribute-mapper", @@ -918,7 +952,7 @@ "jsonType.label" : "String" } }, { - "id" : "bf410999-86a7-49a6-9c3c-05fc8cb83605", + "id" : "cfecf6e0-9e79-4436-9d39-ed55e900a67e", "name" : "phone number verified", "protocol" : "openid-connect", "protocolMapper" : "oidc-usermodel-attribute-mapper", @@ -934,167 +968,112 @@ } } ] }, { - "id" : "ab92a399-0b8b-4821-96a9-feafef914549", - "name" : "acr", - "description" : "OpenID Connect scope for add acr (authentication context class reference) to the token", + "id" : "bd1afe0e-1af8-4cba-bc93-c77b558d9067", + "name" : "basic", + "description" : "OpenID Connect scope for add all basic claims to the token", "protocol" : "openid-connect", "attributes" : { "include.in.token.scope" : "false", "display.on.consent.screen" : "false" }, "protocolMappers" : [ { - "id" : "2b06dd12-3493-4f63-8878-0d847514e641", - "name" : "acr loa level", + "id" : "42df3f15-5f54-4b88-9541-bcde05766379", + "name" : "auth_time", "protocol" : "openid-connect", - "protocolMapper" : "oidc-acr-mapper", + "protocolMapper" : "oidc-usersessionmodel-note-mapper", "consentRequired" : false, "config" : { + "user.session.note" : "AUTH_TIME", "id.token.claim" : "true", "introspection.token.claim" : "true", - "access.token.claim" : "true" + "access.token.claim" : "true", + "claim.name" : "auth_time", + "jsonType.label" : "long" } - } ] - }, { - "id" : "46dd6349-36e6-476b-9dbf-180bc8a31b83", - "name" : "address", - "description" : "OpenID Connect built-in scope: address", - "protocol" : "openid-connect", - "attributes" : { - "include.in.token.scope" : "true", - "consent.screen.text" : "${addressScopeConsentText}", - "display.on.consent.screen" : "true" - }, - "protocolMappers" : [ { - "id" : "711afd99-66ea-43df-8275-199b0900ca1a", - "name" : "address", + }, { + "id" : "9186563e-5761-4c48-bd15-1f59e51c882a", + "name" : "sub", "protocol" : "openid-connect", - "protocolMapper" : "oidc-address-mapper", + "protocolMapper" : "oidc-sub-mapper", "consentRequired" : false, "config" : { - "user.attribute.formatted" : "formatted", - "user.attribute.country" : "country", "introspection.token.claim" : "true", - "user.attribute.postal_code" : "postal_code", - "userinfo.token.claim" : "true", - "user.attribute.street" : "street", - "id.token.claim" : "true", - "user.attribute.region" : "region", - "access.token.claim" : "true", - "user.attribute.locality" : "locality" + "access.token.claim" : "true" } } ] }, { - "id" : "e87b9d27-b432-4459-ab13-e7c035625bed", - "name" : "microprofile-jwt", - "description" : "Microprofile - JWT built-in scope", + "id" : "10faa820-bd35-47f6-97b3-dd2820c4e9e9", + "name" : "acr", + "description" : "OpenID Connect scope for add acr (authentication context class reference) to the token", "protocol" : "openid-connect", "attributes" : { - "include.in.token.scope" : "true", + "include.in.token.scope" : "false", "display.on.consent.screen" : "false" }, "protocolMappers" : [ { - "id" : "a68090d0-c1f7-48e1-9f32-5d2ec77457d8", - "name" : "groups", + "id" : "bfef859b-30ac-49ad-88dd-fe43425c0290", + "name" : "acr loa level", "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-realm-role-mapper", + "protocolMapper" : "oidc-acr-mapper", "consentRequired" : false, "config" : { - "introspection.token.claim" : "true", - "multivalued" : "true", - "user.attribute" : "foo", "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "groups", - "jsonType.label" : "String" - } - }, { - "id" : "2b4f0429-6464-4ff7-b514-742fd9406bd0", - "name" : "upn", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-attribute-mapper", - "consentRequired" : false, - "config" : { "introspection.token.claim" : "true", - "userinfo.token.claim" : "true", - "user.attribute" : "username", - "id.token.claim" : "true", - "access.token.claim" : "true", - "claim.name" : "upn", - "jsonType.label" : "String" + "access.token.claim" : "true" } } ] }, { - "id" : "a4d66eac-66c9-40e7-9c0e-2de645c4a415", - "name" : "role_list", - "description" : "SAML role list", - "protocol" : "saml", + "id" : "003d13b6-5b72-4f7b-add9-dab6330ec555", + "name" : "offline_access", + "description" : "OpenID Connect built-in scope: offline_access", + "protocol" : "openid-connect", "attributes" : { - "consent.screen.text" : "${samlRoleListScopeConsentText}", + "consent.screen.text" : "${offlineAccessScopeConsentText}", "display.on.consent.screen" : "true" - }, - "protocolMappers" : [ { - "id" : "6148e600-1a63-4caa-946a-efe35d0a3bb4", - "name" : "role list", - "protocol" : "saml", - "protocolMapper" : "saml-role-list-mapper", - "consentRequired" : false, - "config" : { - "single" : "false", - "attribute.nameformat" : "Basic", - "attribute.name" : "Role" - } - } ] + } }, { - "id" : "8f865f22-1e06-4426-a2af-1e3b683c6450", - "name" : "roles", - "description" : "OpenID Connect scope for add user roles to the access token", + "id" : "9f4285c8-31e0-4339-ae6c-7eb9725da69b", + "name" : "email", + "description" : "OpenID Connect built-in scope: email", "protocol" : "openid-connect", "attributes" : { - "include.in.token.scope" : "false", - "consent.screen.text" : "${rolesScopeConsentText}", + "include.in.token.scope" : "true", + "consent.screen.text" : "${emailScopeConsentText}", "display.on.consent.screen" : "true" }, "protocolMappers" : [ { - "id" : "b1dc3cca-f0bd-45c2-a52d-f9aef46deebe", - "name" : "realm roles", + "id" : "651f856b-739f-4797-b32c-49a9f571223e", + "name" : "email", "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-realm-role-mapper", + "protocolMapper" : "oidc-usermodel-attribute-mapper", "consentRequired" : false, "config" : { - "user.attribute" : "foo", "introspection.token.claim" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "email", + "id.token.claim" : "true", "access.token.claim" : "true", - "claim.name" : "realm_access.roles", - "jsonType.label" : "String", - "multivalued" : "true" + "claim.name" : "email", + "jsonType.label" : "String" } }, { - "id" : "8c5de524-3ba5-4f03-9f8f-a0f45e48df6b", - "name" : "client roles", + "id" : "d8e18659-6fdc-4c40-a65e-4d855f514cf9", + "name" : "email verified", "protocol" : "openid-connect", - "protocolMapper" : "oidc-usermodel-client-role-mapper", + "protocolMapper" : "oidc-usermodel-property-mapper", "consentRequired" : false, "config" : { - "user.attribute" : "foo", "introspection.token.claim" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "emailVerified", + "id.token.claim" : "true", "access.token.claim" : "true", - "claim.name" : "resource_access.${client_id}.roles", - "jsonType.label" : "String", - "multivalued" : "true" - } - }, { - "id" : "e8786aa2-884c-40e0-b276-eb7fbd855791", - "name" : "audience resolve", - "protocol" : "openid-connect", - "protocolMapper" : "oidc-audience-resolve-mapper", - "consentRequired" : false, - "config" : { - "introspection.token.claim" : "true", - "access.token.claim" : "true" + "claim.name" : "email_verified", + "jsonType.label" : "boolean" } } ] }, { - "id" : "f1a9e164-cb83-4b91-ac53-7dfe3f6729a6", + "id" : "5139ea54-1669-4a7d-980e-e8a9d7a83d57", "name" : "web-origins", "description" : "OpenID Connect scope for add allowed web origins to the access token", "protocol" : "openid-connect", @@ -1104,7 +1083,7 @@ "display.on.consent.screen" : "false" }, "protocolMappers" : [ { - "id" : "18d62bcd-170e-47c7-93ae-4072f19a1853", + "id" : "febb8ed8-fc30-4d3b-8cc0-729718b3ea7a", "name" : "allowed web origins", "protocol" : "openid-connect", "protocolMapper" : "oidc-allowed-origins-mapper", @@ -1114,6 +1093,27 @@ "access.token.claim" : "true" } } ] + }, { + "id" : "4f6e34b8-158a-4e79-9673-4bc54d984ee0", + "name" : "role_list", + "description" : "SAML role list", + "protocol" : "saml", + "attributes" : { + "consent.screen.text" : "${samlRoleListScopeConsentText}", + "display.on.consent.screen" : "true" + }, + "protocolMappers" : [ { + "id" : "cb55abfc-fda7-4c0e-9b04-fe3059b2b021", + "name" : "role list", + "protocol" : "saml", + "protocolMapper" : "saml-role-list-mapper", + "consentRequired" : false, + "config" : { + "single" : "false", + "attribute.nameformat" : "Basic", + "attribute.name" : "Role" + } + } ] } ], "defaultDefaultClientScopes" : [ "role_list", "profile", "email", "roles", "web-origins", "acr", "basic" ], "defaultOptionalClientScopes" : [ "offline_access", "address", "phone", "microprofile-jwt" ], @@ -1137,57 +1137,60 @@ "identityProviderMappers" : [ ], "components" : { "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy" : [ { - "id" : "e76aa8ea-4198-41dd-b498-9951d1459df4", - "name" : "Allowed Protocol Mapper Types", - "providerId" : "allowed-protocol-mappers", - "subType" : "authenticated", + "id" : "00642647-1062-4330-8624-4be0a926d7be", + "name" : "Trusted Hosts", + "providerId" : "trusted-hosts", + "subType" : "anonymous", "subComponents" : { }, "config" : { - "allowed-protocol-mapper-types" : [ "saml-role-list-mapper", "oidc-usermodel-attribute-mapper", "oidc-usermodel-property-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-user-attribute-mapper", "saml-user-property-mapper", "oidc-full-name-mapper", "oidc-address-mapper" ] + "host-sending-registration-request-must-match" : [ "true" ], + "client-uris-must-match" : [ "true" ] } }, { - "id" : "fa3f9cf0-c53a-48bb-adb8-f27f66e3568e", - "name" : "Full Scope Disabled", - "providerId" : "scope", - "subType" : "anonymous", + "id" : "7ab2c08b-901f-4b95-b303-1fa87fab5034", + "name" : "Allowed Client Scopes", + "providerId" : "allowed-client-templates", + "subType" : "authenticated", "subComponents" : { }, - "config" : { } + "config" : { + "allow-default-scopes" : [ "true" ] + } }, { - "id" : "10077ff3-12ce-40d5-9108-2de23a14d541", - "name" : "Consent Required", - "providerId" : "consent-required", + "id" : "a1ac08b2-1946-4610-854e-7b301164b98b", + "name" : "Max Clients Limit", + "providerId" : "max-clients", "subType" : "anonymous", "subComponents" : { }, - "config" : { } + "config" : { + "max-clients" : [ "200" ] + } }, { - "id" : "fb43aaf7-481b-462c-9cd3-062d44a42492", + "id" : "75084497-05b2-4978-8088-fe920f5e165e", "name" : "Allowed Protocol Mapper Types", "providerId" : "allowed-protocol-mappers", - "subType" : "anonymous", + "subType" : "authenticated", "subComponents" : { }, "config" : { - "allowed-protocol-mapper-types" : [ "oidc-usermodel-property-mapper", "oidc-full-name-mapper", "saml-user-attribute-mapper", "saml-role-list-mapper", "oidc-usermodel-attribute-mapper", "oidc-address-mapper", "saml-user-property-mapper", "oidc-sha256-pairwise-sub-mapper" ] + "allowed-protocol-mapper-types" : [ "saml-user-property-mapper", "oidc-full-name-mapper", "oidc-address-mapper", "oidc-usermodel-attribute-mapper", "saml-role-list-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-user-attribute-mapper", "oidc-usermodel-property-mapper" ] } }, { - "id" : "b92ef2e1-c333-4daf-80b2-b0dc016bb613", - "name" : "Allowed Client Scopes", - "providerId" : "allowed-client-templates", - "subType" : "authenticated", + "id" : "cd373617-6545-43f2-954a-035b08da1d4b", + "name" : "Allowed Protocol Mapper Types", + "providerId" : "allowed-protocol-mappers", + "subType" : "anonymous", "subComponents" : { }, "config" : { - "allow-default-scopes" : [ "true" ] + "allowed-protocol-mapper-types" : [ "saml-role-list-mapper", "oidc-address-mapper", "oidc-usermodel-attribute-mapper", "saml-user-attribute-mapper", "saml-user-property-mapper", "oidc-usermodel-property-mapper", "oidc-full-name-mapper", "oidc-sha256-pairwise-sub-mapper" ] } }, { - "id" : "dae5ff77-754e-4b08-ae16-18e2105a20a8", - "name" : "Max Clients Limit", - "providerId" : "max-clients", + "id" : "843e6e4b-caa8-42ed-bbb2-be158983514e", + "name" : "Consent Required", + "providerId" : "consent-required", "subType" : "anonymous", "subComponents" : { }, - "config" : { - "max-clients" : [ "200" ] - } + "config" : { } }, { - "id" : "7cfe8082-e7b6-4fe2-805f-4bab1c80f66b", + "id" : "bb925f89-8bd3-44cd-942a-d2615fda21f6", "name" : "Allowed Client Scopes", "providerId" : "allowed-client-templates", "subType" : "anonymous", @@ -1196,18 +1199,15 @@ "allow-default-scopes" : [ "true" ] } }, { - "id" : "a0aa3cab-ce51-4f90-af7d-22a8a4d425e0", - "name" : "Trusted Hosts", - "providerId" : "trusted-hosts", + "id" : "d8d6abb4-2ea7-4a13-b325-f7bf359b929a", + "name" : "Full Scope Disabled", + "providerId" : "scope", "subType" : "anonymous", "subComponents" : { }, - "config" : { - "host-sending-registration-request-must-match" : [ "true" ], - "client-uris-must-match" : [ "true" ] - } + "config" : { } } ], "org.keycloak.userprofile.UserProfileProvider" : [ { - "id" : "9adea1fb-e00d-4b4d-80dc-49ad060e17b8", + "id" : "1ecab23b-5b5b-4252-ae04-f02d82a10fbc", "providerId" : "declarative-user-profile", "subComponents" : { }, "config" : { @@ -1215,55 +1215,55 @@ } } ], "org.keycloak.keys.KeyProvider" : [ { - "id" : "491a8374-2165-4639-a5e0-ed46056fc8ef", - "name" : "hmac-generated-hs512", - "providerId" : "hmac-generated", + "id" : "1c046623-2414-470d-885d-676b218f903a", + "name" : "rsa-enc-generated", + "providerId" : "rsa-enc-generated", "subComponents" : { }, "config" : { - "kid" : [ "837b86f8-185f-44d7-a971-08fd21361790" ], - "secret" : [ "0h-TQyfcIzi_NhnjYmj01XQE9cT91JiiXTyQiP2vUNCaEVxYzuEiPrWdKyQrCerNrQWl_BfQvF752F0Ri_CeaCb4oOgdbXtpYHIe39Htm2sR6XboBAo2krQiigZpXpiBFq9vnZoCqk7QYbdPQfCB3b1sPqiQksjKPlU98MBVyTs" ], + "privateKey" : [ "MIIEogIBAAKCAQEAtjMAtyi53OP5PDhUMn0XxLfqUt2Z8nYezDWdxVOSGLRb/zYLK3WaXCwrz88OyBeDHq4QnwD3kGtBmVfJl1jPwEP0QBAVeI3adQJnJhqUpKp7a+ERFQiIlgxhtTWauZxZfwJ1LqDRZ65Th+n5Wldd27J08ex47AHjerCTi8VESCI1+zrZpteNHbHhM30KfXMobnM3wjRtxu8TGtMNZvLA+X1y2bdL4tCcjqBp1JoAOJZRPm2XW6HDmGW3z/LZYI3qffr/xo/JWtjFCrjSfIuuy41bvxkGxkt0AJu6wrlckoAos9PhzJrXIZoqxqdJ5KECid4PlBXxNu3ayT5qCCuuHwIDAQABAoIBAAjqcAOGe6niggS/YOdjlbErqszJSUpDG3i0uva4AzMwSDwx4dQLmjUeeDpgEIIcHG945xlQy8yGYxxk3lmIoAnxiVdFMjfHAUSujGuh61oveYCq79IOq9hj3LgoWlzw2LRNY3yXpAel0TKacXhJRC+HCQ/5mWU7Jm2PjHjPe2roJIOaojg5Z9oUKX4do69aZsRYjukr4MOn79MJ8Y2t+CCFkpRunh753c9I7FjTBMr0ejjLPcdSRl2qQcVeS9XExCdxB9u1sSn7WftfwyKVoks65DIVhANfvNjzDa3gDWvEETjNm/HPmpKcb1fLilvxjGZkknnzj0e67cJxfYGhyrECgYEA386QURCw4oXdTUs1ZbF3HEvc+5URl29IDIKBAPkS+euIXqhTXM0DXrvjNM+7ISZyO8giYTvHxOl1/uKgAEtpapdlkMdLTgQW5p46rQXpufQrn9mwyJlKI39kgyTnmqZMNjBDoe+/Uq9DVjhldRmXJ+snD/T+hsIbuMWMwt2ONLkCgYEA0GhIroPSNH4gIHUpPwUh9HJ3Ungb5ckwIJ65nVekFWdiwDdci7woqJ4TXjqkyf/CcXqlsA18yKV3oVQiI2UUYYzs0YW6tphplbmLb8DPEUUge48PJmWKmLEea9P2X6wQbQ5kr1hiJvQ252BJe24MntXgW8cpMst+mK9g36xOvZcCgYA3vvfreUDV64oH6qfOQLnubmcIs0TCd5F2rDr9xwyW+7fn+/1nrBkey6X4TZXK2Ay0H1GQ7pb/0Tb22fQInsAPMM63lSyIrjQWFWuAFWz2SH9lPY/vJ190IBMlJ1gZCTsKdFMkTtdU/RrEqx96X3lrFAOS0e9kGY1WJL6++vik4QKBgEjPJhVSGG4eYjr0s6RAtswf8W/uZlCxKQ88ZLyDkd+obueYb8yhv9Ko5ztUYZ3wrI3Yu2n2TFIM/O5v5j1XYvdxtIq+nayNMtYMLJquUalG7UI9iJ1xfCo8NtSVCM4D3vk6vhJEXoYda9EJ4qIsoFwdfHST7+C/F0tgegequxehAoGAesBnMgX8m5uENZ5CzeX2jmcz/o01Kr6RmVyo0DFILOhhyO8cIyQg96r1f7/D73Q8GZ5V23FB9y8hgU9dtGpoM52Ty9HA3miceaKJjTkd9c4Lq7Vt74Ho0/WY+LE7lCL3hHBQd+79LfZhSnTrZx7rYMnJjB5qVhJ4jheMumOd4rE=" ], + "keyUse" : [ "ENC" ], + "certificate" : [ "MIICmzCCAYMCBgGSDEEpTTANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjQwOTE5MjE0NTQ5WhcNMzQwOTE5MjE0NzI5WjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2MwC3KLnc4/k8OFQyfRfEt+pS3Znydh7MNZ3FU5IYtFv/NgsrdZpcLCvPzw7IF4MerhCfAPeQa0GZV8mXWM/AQ/RAEBV4jdp1AmcmGpSkqntr4REVCIiWDGG1NZq5nFl/AnUuoNFnrlOH6flaV13bsnTx7HjsAeN6sJOLxURIIjX7Otmm140dseEzfQp9cyhuczfCNG3G7xMa0w1m8sD5fXLZt0vi0JyOoGnUmgA4llE+bZdbocOYZbfP8tlgjep9+v/Gj8la2MUKuNJ8i67LjVu/GQbGS3QAm7rCuVySgCiz0+HMmtchmirGp0nkoQKJ3g+UFfE27drJPmoIK64fAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAAaSiN9JaOTMBNblfin32x8ExMZHFWpVeILIj2jjxhEOKV/d9SHkpKVfccup5aqJzn9mP9oHGNGbekLwW/X/3VWSCIQ7AtVrmmgtJgXEQ5zcW4CQRqtFdE+0IhbKD0Ui06qmU1kEpAUIhn2w9rquDPiHqHxR6K4iz2heESGhbKsYHLrX0zcfljV6ZiipC2OLK1ca+1wg1Ba3FUGy9+kAto1b6VOXS/+dLSxcpBpFzfiyDO1ijavD0y/J8gtNN0+kAilC2EcJQfIiLKg10FCDyHmG9IFV0g227rYpCGzQA5ljVLkB7mXkz0ieofbcRFqyuwRPve+JwBhonlYDTumDkMc=" ], "priority" : [ "100" ], - "algorithm" : [ "HS512" ] + "algorithm" : [ "RSA-OAEP" ] } }, { - "id" : "039e4b49-09f6-4eea-abcc-5629093d48c2", - "name" : "aes-generated", - "providerId" : "aes-generated", + "id" : "96b35fdd-5cff-4ec8-aa78-a10b25a8889b", + "name" : "hmac-generated-hs512", + "providerId" : "hmac-generated", "subComponents" : { }, "config" : { - "kid" : [ "b38fa3ab-54fa-45ea-a3ec-53b06c6ebd1b" ], - "secret" : [ "ECSK8BJxfH0KE7WbtROdkQ" ], - "priority" : [ "100" ] + "kid" : [ "366e0455-d4e7-48a6-ad3a-50faee7b1bdb" ], + "secret" : [ "aHkCWF79XyKGruLZzIu5GuPq6Olu5kLhQKf0g7btkTQWrX0jGm3HfuEKiZm_-sMhonsafkU_GAerocJGHT1-GYsuDCHixJk0hcfY5H4u3PA1SJrA4g5qVCYocdVtAS-LsxpBdfmbnKBjegKnXrS74Mbo5B_zEMxzducY0A-eRu4" ], + "priority" : [ "100" ], + "algorithm" : [ "HS512" ] } }, { - "id" : "edeffc5b-ad14-432b-8816-98178a0b0292", + "id" : "686cb55e-b9ac-48a9-bbe7-470d6fa1304a", "name" : "rsa-generated", "providerId" : "rsa-generated", "subComponents" : { }, "config" : { - "privateKey" : [ "MIIEpAIBAAKCAQEAqgJfKoXnolBDcsRHxXxwwe4eQOcnJpDZ2agQ5hbtOXRqbPeKBlcRHUf6ecjqQjdaWmUOJxIGSNbYNSW/Lw3pyRL939xZiUOugJR9iiYru7TjqPj5Ts3qALryBcJ22iDu3goCysxQeQfWF2U/PuVKZ+OBIZXQ0/Nq6WRIMLopIImh+lVuBTkQzKDgDMIZ88469JFKbWpRZ2zxX5zthhDBtGpDi18mDaZE97Je1d8nvQI/0kWzj2C1pGhZnltEhdHG+SC12hEi8MmUYk7tDUQhJpl3jxIDkQDdGXplks+Hnercj41Hlitt/jT6zjw/AqweGmmNGRYCCD+KTAsAJtG0SwIDAQABAoIBAEza86CqljOHa2ZnmzaI8gSJm/2lQcqqcwF1e+Y4eRefLDmEkk4ZcDA3iOEjVduHYH467vH0sQier3EfVlV0SbrPrhtUZtmp0ipodnRMmzqpJL4Ph8z7Q4z+9khqSAaGGtYf2nFJehus0jkTWUsaps9eRtMjAhu/EBbgcc4takg9k25hfg4Aj/VWRfdqYK9yT6zmgMhhi9TnxHACQtpyz5MfMUgbDzvg31ztqbRAU2YPPbnCjmWcFrZALCq0sBtQXPlZbthOcyiGHvUuTBMUuTeXu2Tbo9Rk7oLiLDYKDtC8cOC/3ldJxTEGVyA4vCC+D2m7g2cY2FEewsC2648GiLECgYEA0jbseH337iinUOTYxInvCErS1PD5WrOuuYRP2qCp8rz4UbVRWPN3Y5fvyTzTZ3WsFRo1vTsEvPEDioFj7JuOI+SAxewW82cvpWSdtBzc4Rouh/XQuIy3gygagHdQaD98yWpEwH+fX4nmRoe+g5YMsgVQzMM/Cr2Jo7ICCipNKXMCgYEAzwmx1OEWT+A1JuYrZmuMVy1XYJf+a3pqPod8/PFCdxcvRN8QM0wS8VOenbQgNPFmDOq/JM6JFz4xAQgrSxeZJveSK7nYUYoFtKeRSuZj8mQl2mXTLYRRnxIS8IC0G+WlqgdwtxGjX63m9jvu7on5SyDZSKEmhs5/tP2u4x2M88kCgYEAnpa0+4n9G30sDQk4x71Pya+5MtDBLb5U2LyLCeMfk3Mg23Ow9SxoK4iaa/Upf+n0cs8dL69wuaISC9HlssEAEO/4fljIT8TO2zX3C8SilmgMJqI6XqA6agY9SCG7VYpf+Avl5lvhvk/om9kYz2jKFxuPg4rg6pdnWUmX5FdZcyUCgYBtAtLCnt2Loyb5W1ngrKIRSMtoDb+lQahtUhOKb1GquOdnoPe7usOCk5/Bs5T9q1krVfLc426lcVaGD5IUENHQBazOHyV6EW1dqJlE0bgwaXDQ5KpjnfcIBZE5Vtr+kVVACHjdu4jFGSCx5+6vZLCBUUN3DXrmohX161jJNsb/mQKBgQChMC4QSxsXMYmPAx4L8QeXN0efQDKmdFc7afyYYNHIIaxKhgJ9YJCFj0demYD2ml/TldZDjvNWj5t+vbNcHWU0MokznEb/YpYRmj//yz4KwNe7qCnqHW3FNeaGf+nONH0dByPkE6jA2UuTwY2m4qDVfx7Pv+WwRF3mqeDXdfe6yA==" ], + "privateKey" : [ "MIIEowIBAAKCAQEA1jaSmeEVgvMUvirpsQ0gtrWJuunJ5gQXk5HZAcx2yO4yDWGsDO6qAMTVmdsjO6EkTIkL4BPqAyE/0DZ89VkEf+69OXWhdFXD7dv0ZufBOZezpTDiZ6cdgQCyaofAsHRmWekaEAgJMTZ6iTT1973rK1W96cXukC2ozk+YDG4w6PCZDpfTpq+KYol8qt0qCjfqPewgHZ+0aEHmM9DeX5RO8o/Z+i5N88R39VnsNYpVvTIlRV/GJ6d+zLDI7l50QxKPNngruD4Z+B3kYQe/e5DcJBoKL45oNfkb+uiV/OuabmyajN1RS8u0FrVUd0emS02dkLuL6TfyYsVInRLzAiQMNwIDAQABAoIBAAs35Bk98e/1MKwS4uvcSaR367odCJn3XeVjDnqAeDoRS2VrAjp9J0G6DTZXr8fYKmaoXgsCpU87pwli88wE45jwP6WqNOXloJ4CK7xV58ckht/K/cMQO+8nwlrqOBulmj9G12VpM6i0TITcqq2qRbjJGT83F/AiDASd+NMHKaA78jj+ZWHmFarTIwfB03Zdznb/8vRGFSsyjhQgOPXZZoZdUu1GJEmnY81/yyZP92n/Cf2gjhZU5obzDHDBk2jhS50M0PVpcem8VD5gIKFAhOZWCJfZUj34eUbcEgg5/6QQE3KAJ7GGSu+pQ1B9l0dJ6EfGv4vl+V4jpfO7FqWi0/ECgYEA8/RknVDMkM3lZ33Vwri+6N8pwlYJ2kRBQEYFJK5TtKu2fSXTqAFhodYKaIJh/f5kQjJniFf2p4Rtmwwde/aoxAdVBinTKRNKlSz4kM0c3vTOCkVSJrW6t3zyTAPBkzk5iPMTi0ghQJ46zUjf7UZIsB6NjI6cf072cBlxUYYaiKcCgYEA4Mo+q7po0ahfLH4hNQ5fa/JWw3OyCdTcJDGTAcB9v+yVXa4SmoZxfwxuuyYAsc0dxa+wZZNMx1Tf6QQUFIVlXlvSLid+LEpClZ/clguQzl3OyIq01XAUSAYsBoxMzwaT9VnSKaN/WrLBMKPG8738GJgbE+EzV2vlUJ9/432xQfECgYBp5vQunr7PNbKapLPBHjYyHX6hUHxidjLlVgAxlkPcMJa96UfirQbXHHXUPJWRj3eyjPMI6za2LfTu0+mQwNkukAhG7q0uLaO48pbNNV2NJDS1nLY2+7kcom8EtLS51qO1YeBgHGXjCU15hGNBO7ueSQUluVsSoRK2QzVAMLkgDQKBgQCwUHHPqKrGp9XexB+vydI2jSJYs8qVw4vYJ7oyyZTYkOynSf31jjY/fLTtveUVkNklUaR+R4cVYhEuZ7CIWAkmdcbpxLhGbQjE61rNpcyy0Ql8aq9kKkD+LTki+bDVQUeUTht15XPi5Ap76DoIvJ+betLiSOVIUKzRDAn3mYMLQQKBgDTNljhvgzvlVvtm0+bpjtJk5j9sJ1yVo1iD8hGKZoFPUzqQ0DFcvf3NXQsZLVeLuyN9WajiuTqhuEp3zfIWyajhd1mPpNl/ZO1j/Ct4rY94awT5QXsZurlrj1HmUTFkmGGJLhBZeu4YhmZBSRojJscbzFeMQmS474Wid5lZtw9I" ], "keyUse" : [ "SIG" ], - "certificate" : [ "MIICmzCCAYMCBgGQN2wk5DANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjQwNjIwMjA1MDUyWhcNMzQwNjIwMjA1MjMyWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqAl8qheeiUENyxEfFfHDB7h5A5ycmkNnZqBDmFu05dGps94oGVxEdR/p5yOpCN1paZQ4nEgZI1tg1Jb8vDenJEv3f3FmJQ66AlH2KJiu7tOOo+PlOzeoAuvIFwnbaIO7eCgLKzFB5B9YXZT8+5Upn44EhldDT82rpZEgwuikgiaH6VW4FORDMoOAMwhnzzjr0kUptalFnbPFfnO2GEMG0akOLXyYNpkT3sl7V3ye9Aj/SRbOPYLWkaFmeW0SF0cb5ILXaESLwyZRiTu0NRCEmmXePEgORAN0ZemWSz4ed6tyPjUeWK23+NPrOPD8CrB4aaY0ZFgIIP4pMCwAm0bRLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAE4JX1hmGcOm/bCB21uOP1+Kkc6uydaZPbvxbibEk1zqtHOnPOnJwNw4m6r6POdZD5k54k0fq4KIIBF1zZwCmwLy+OFto5MzIo13gQQTiieFjMxV/b4XfhaHwYJJiwhDyrZQYjMNL9JvNfKjcBBlKdIhjDQT4M8xLo0ViJnKt03C1JdVBcSiopa3PNMjqNpzay8QosLQ9bfkv3X1mN5NXTkyY2mOHpRhJPzvUrP+ZCUws9PVNgpcoBxQ7SA5E2u67yHFN0x9C+BxbDBvhicoGq6WyT3TSgGHf6PjaAafmiYhmL3/tdX1fM9sh8qZI72296q8pGx0T+Ubs3/WcuLbuyg=" ], + "certificate" : [ "MIICmzCCAYMCBgGSDEEoqjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjQwOTE5MjE0NTQ5WhcNMzQwOTE5MjE0NzI5WjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWNpKZ4RWC8xS+KumxDSC2tYm66cnmBBeTkdkBzHbI7jINYawM7qoAxNWZ2yM7oSRMiQvgE+oDIT/QNnz1WQR/7r05daF0VcPt2/Rm58E5l7OlMOJnpx2BALJqh8CwdGZZ6RoQCAkxNnqJNPX3vesrVb3pxe6QLajOT5gMbjDo8JkOl9Omr4piiXyq3SoKN+o97CAdn7RoQeYz0N5flE7yj9n6Lk3zxHf1Wew1ilW9MiVFX8Ynp37MsMjuXnRDEo82eCu4Phn4HeRhB797kNwkGgovjmg1+Rv66JX865pubJqM3VFLy7QWtVR3R6ZLTZ2Qu4vpN/JixUidEvMCJAw3AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJl6tFjscJN3s1xZ8WMykK6x8rYDFwGB/rsRnh5NiNJSF9c0Uv0JDXjAT5ShTBOr1YBahcIjsGGmoDgayxWCWnVuDGiJ/ChUmZ+pzw78g8H2MuXyG8L/46/73X7CHc3Xd8nXA+gCU1cCTubImQfAa+XTDvI359LXkd8V+Euo5JCnaeMT//73p8VS25exoLuO74H9yCHtR1pdIJf4ChAXnDF/kUPJk0Xzzn9cUOv7kZYSD0/ZXX9zljuF11gmC/qtSpdVlrP0n3xkBFXPuCb6XxuFk1oVyqDBOKLaO86qzebnjYLaaUUO6WgLlg76zecgyL9elHEbDY8B05ss91EE1kY=" ], "priority" : [ "100" ] } }, { - "id" : "1e8aa950-265e-44a7-aeec-bf9e9b8a7250", - "name" : "rsa-enc-generated", - "providerId" : "rsa-enc-generated", + "id" : "7f09e245-5513-4c92-8162-f95bb1f160f8", + "name" : "aes-generated", + "providerId" : "aes-generated", "subComponents" : { }, "config" : { - "privateKey" : [ "MIIEogIBAAKCAQEAysVkfW/UrOSBpWTCpJMdTugBWemjdE1TZeVQnvACtV6o58QY63Idztnobb1XfHqpmn3y8qTcNx2jRL9iWuMMoke49lHpckVcOl3Lv+LzSu0VenwsN7FE4kUKb9QUlXOY+wTIBNtqHgiqvMKKCdMwNesWFDeau8rpM14m5r+74Dw+naYUv+/n3HlI0S5L3unKxEHmLAFA1jgPij6E84Gax9zf0GiwvXq/YAF6vksbmE5V6s7btU2yuHxjAF2YsldEnbYbFXeUS+Y6JwZ9/Yhk8Rfm7Mc8bKeBuSUl6SmLjAv7utp8ePY8ArK6fm5eMhkhZHUKcpZ4vrb1noa2y3V9VwIDAQABAoIBABdh4SSrMKsp7olUBTNVLkawb6Ieqb/6QBO6oywGIUnTkJv+pkuq7SUH8SA2eqWFaj7BJ12JBUaVya4JI8kMmvhbrPM6nuDpKVQnB3J+iUT/8eod8jtkhbz8mSeBcp4z+6rL8lodCIT4xYzezMGKnj9EIgJS0dULS7j7XSEJcHDQTO7hIAt2QEJYy1ftAsf0zZ/6KBsiNO1h4C6WcOgsVLS+YSC6VTUQi0eeqicCp/SLIFaXE58pVoUlsKAlMnH2syzUNLzrYFnblD10F3fmrg09VzVIEG9lA5CkNHMDXf5LC2cwqo4x/OrPr1Fo0fOB/CrNe1TToVHO5Xz8JJ9beIECgYEA91oYyXAXRus5ndulU8UfODkJo0f0NWKlss8dYz8t27uOgne2blB6LsczD8XgH/LQ46GnKa9+vMwqcuOjb3b61kbLROrm/Qfhba8dcuPsCUvJvChM+DUqi9wETnOBK6PadwBUWTb8VAghi0eenThc/GMhgKyQjEnyD18yurV+B7MCgYEA0dxHO7W1LtVM7zm5NHRodr2KuzbOiHwDW/4codd4KlNiCekE+6BL48lt4jJWmmLmydlvQOWSm3ZLa07BHoLGTmxYzriP9e/JbMWstzoxYmDPMNI7kDQ7dcM1/MsHAhYjGSiAHeBaugSeZByFNOe3RxQmWF/Nh3Y1Bl1DTymn4c0CgYAtB8b5bSGftJURqvoHLRzI5IFfq2rHCUV3LwN/nPHhTdzc3aRlotsLhxJBrdlml5L1zekbyqo8/sI/ljebxEJYHh1FV6pjqDqe+EFZOCsxag245nFUwoETYyOZkKeUZUkRXwr8DumS9sP8kjZLEwbCn91qin/qOlAKAl++4+mkxwKBgE9AHVJqK1LVUCljJhKuBykYKQTMDLC0DFy4GL3xbbqmJHbTnYMcpKwPzERIeDXzNW5ygzYBvByjTpXmdr1760GAXwUp44ufkvRVrgS/oBijsHqiWcX6Q54UKxYc4bei/nwotEEUEY7/4YSy1IcHHkpkTJrBCw+lzx5pJ9sEQxbdAoGAEHkn9JTMnY33t2XZvUcjWT2MzKfibRl9A9PLxqiv4HdlB5Zc4YJlV2oXsgWkWsDaLsISAlMNMMYNV8gF/53eC+/dkgG4IVvgPkT/dPEpTvW+Ke1IT3tqWGclElCdZHE9RphJJ8A0kfUTirVNylewt+PdD8ITD3yrRt2GGmzPY0M=" ], - "keyUse" : [ "ENC" ], - "certificate" : [ "MIICmzCCAYMCBgGQN2wlfTANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjQwNjIwMjA1MDUyWhcNMzQwNjIwMjA1MjMyWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKxWR9b9Ss5IGlZMKkkx1O6AFZ6aN0TVNl5VCe8AK1XqjnxBjrch3O2ehtvVd8eqmaffLypNw3HaNEv2Ja4wyiR7j2UelyRVw6Xcu/4vNK7RV6fCw3sUTiRQpv1BSVc5j7BMgE22oeCKq8wooJ0zA16xYUN5q7yukzXibmv7vgPD6dphS/7+fceUjRLkve6crEQeYsAUDWOA+KPoTzgZrH3N/QaLC9er9gAXq+SxuYTlXqztu1TbK4fGMAXZiyV0SdthsVd5RL5jonBn39iGTxF+bsxzxsp4G5JSXpKYuMC/u62nx49jwCsrp+bl4yGSFkdQpylni+tvWehrbLdX1XAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAE6H+HxjF6/XOclsHEMVqkQMoHbOb/j+enSaRgLsroX7ir8Xi1mW9HSLReI2H/B8oM/KrVflcGnkE0wD4QR82OR39F/HIbIirwtF96dnBIYs6SzgAUIPrGoBHzAF1yfwcq3utU64yOUKFyS+Lh9LWEULAfMavJJmzYBDSvnzYB/SefOJ/HLLGjs1DLlI72zK9wRisFzlb58Afmmg1I0jAb24NMNNVHK2gY2qIXN4zYcpEKt02dqBnQwyZz3bwzxZXur/+xvNKb+whP4zxNtp6vPiAu9sS+fK+VFCl9tUmaKeDZ+Z1rU1xSJiJ/5XxBmlOdTo5fnGyfWCoQc6pg4OPXM=" ], - "priority" : [ "100" ], - "algorithm" : [ "RSA-OAEP" ] + "kid" : [ "99b8c5d8-b422-4a80-a89b-2b314e88d878" ], + "secret" : [ "ZZ6PFzoCmFp48E0-F3TVEw" ], + "priority" : [ "100" ] } } ] }, "internationalizationEnabled" : false, "supportedLocales" : [ ], "authenticationFlows" : [ { - "id" : "28655129-e787-442d-82ec-2175afcdedbe", + "id" : "c91487d4-f795-4de6-9b52-44a98ff08b17", "alias" : "Account verification options", "description" : "Method with which to verity the existing account", "providerId" : "basic-flow", @@ -1285,7 +1285,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "b97ef93b-4707-4427-924c-06b12a9d6b42", + "id" : "a2d3a758-1964-4082-b8de-67d214d20b73", "alias" : "Browser - Conditional OTP", "description" : "Flow to determine if the OTP is required for the authentication", "providerId" : "basic-flow", @@ -1307,7 +1307,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "b404c2a1-97cd-49f8-9ff8-51c33a2a475f", + "id" : "6f0f0386-b936-4824-a945-585b427cd239", "alias" : "Direct Grant - Conditional OTP", "description" : "Flow to determine if the OTP is required for the authentication", "providerId" : "basic-flow", @@ -1329,7 +1329,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "d73479e8-8ecc-4a59-a988-2b70dc635f32", + "id" : "d2e29c8c-a3ec-4089-adb5-c6ac6b86cc6d", "alias" : "First broker login - Conditional OTP", "description" : "Flow to determine if the OTP is required for the authentication", "providerId" : "basic-flow", @@ -1351,7 +1351,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "77e2aa4b-7ac5-4540-bcab-b3cdb874d0e8", + "id" : "d0e10cd6-f0c1-44b7-a3bb-82c2af613859", "alias" : "Handle Existing Account", "description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider", "providerId" : "basic-flow", @@ -1373,7 +1373,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "906e3fe2-9aca-4e2a-8452-207437aa58b2", + "id" : "0138758d-c773-4ee1-a96e-7a49c52fac40", "alias" : "Reset - Conditional OTP", "description" : "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", "providerId" : "basic-flow", @@ -1395,7 +1395,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "dfffe646-6381-41c1-984b-daa6ee2c361d", + "id" : "707a42fc-9d0f-4c81-84dc-0922d4e0b81f", "alias" : "User creation or linking", "description" : "Flow for the existing/non-existing user alternatives", "providerId" : "basic-flow", @@ -1418,7 +1418,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "eb8571c5-747d-41c9-860f-11918fd78424", + "id" : "779e49d0-6aad-42f8-8f15-b53718635b92", "alias" : "Verify Existing Account by Re-authentication", "description" : "Reauthentication of existing account", "providerId" : "basic-flow", @@ -1440,7 +1440,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "379aebe8-0bd2-4987-81bc-1445a1c874f2", + "id" : "c762e845-dcf7-4109-a2f0-2946a6adc859", "alias" : "browser", "description" : "browser based authentication", "providerId" : "basic-flow", @@ -1476,7 +1476,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "d1423eee-21e0-4f8e-be0f-3181391271fa", + "id" : "d1c1432f-8205-4690-a0aa-84893776141c", "alias" : "clients", "description" : "Base authentication for clients", "providerId" : "client-flow", @@ -1512,7 +1512,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "265a3aec-eb37-48ca-8dae-343b89704cc6", + "id" : "28ab037a-7672-4ea2-bbd7-0a616cb42d01", "alias" : "direct grant", "description" : "OpenID Connect Resource Owner Grant", "providerId" : "basic-flow", @@ -1541,7 +1541,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "fa1af060-848f-4c0b-87ce-aa2479deb144", + "id" : "0a96e97f-e194-4f49-a992-4bc51b07d34f", "alias" : "docker auth", "description" : "Used by Docker clients to authenticate against the IDP", "providerId" : "basic-flow", @@ -1556,7 +1556,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "479f337c-603f-4b0c-855c-81076a300634", + "id" : "977365e9-b7c8-4cc3-88a1-fe556a68e490", "alias" : "first broker login", "description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", "providerId" : "basic-flow", @@ -1579,7 +1579,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "ca92fcc1-d758-482a-9aff-24576d1bd58f", + "id" : "310e7c54-e96f-45da-a57d-4b21d490ade9", "alias" : "forms", "description" : "Username, password, otp and other auth forms.", "providerId" : "basic-flow", @@ -1601,7 +1601,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "b12d71a9-8281-4e29-b964-9c6b0cc9f3f4", + "id" : "058a7bad-aa61-4052-af90-0ed63c829723", "alias" : "registration", "description" : "registration flow", "providerId" : "basic-flow", @@ -1617,7 +1617,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "8dce7cd5-3a30-4a96-b9da-c934040d09f3", + "id" : "52d266a5-2e08-47be-939a-a8871ed2a16d", "alias" : "registration form", "description" : "registration form", "providerId" : "form-flow", @@ -1653,7 +1653,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "f0e9cd6d-b215-42bf-90da-bc6e6f26fe38", + "id" : "65663da1-53aa-4a45-aba1-e0ce8c2e7500", "alias" : "reset credentials", "description" : "Reset credentials for a user if they forgot their password or something", "providerId" : "basic-flow", @@ -1689,7 +1689,7 @@ "userSetupAllowed" : false } ] }, { - "id" : "3ebd8362-d11a-48e4-8ef0-3e03a7defd68", + "id" : "150df60a-42f4-415a-b0b1-89a9e9cf76d2", "alias" : "saml ecp", "description" : "SAML ECP Profile Authentication Flow", "providerId" : "basic-flow", @@ -1705,13 +1705,13 @@ } ] } ], "authenticatorConfig" : [ { - "id" : "56353b42-24a4-4e59-aa2a-b027914d8f28", + "id" : "40732755-fbff-4716-9f05-d50581b4b493", "alias" : "create unique user config", "config" : { "require.password.update.after.registration" : "false" } }, { - "id" : "d860c38c-b89b-41e0-a70e-953dd6252f5e", + "id" : "3e4cf76d-9d20-46ff-811e-2a7508fa7d68", "alias" : "review profile config", "config" : { "update.profile.on.first.login" : "missing" diff --git a/src/test/resources/import-files/exported-realm/25.0.5/master-realm.json b/src/test/resources/import-files/exported-realm/25.0.5/master-realm.json new file mode 100644 index 000000000..b903f8459 --- /dev/null +++ b/src/test/resources/import-files/exported-realm/25.0.5/master-realm.json @@ -0,0 +1,1833 @@ +{ + "id" : "55629008-ce2b-4083-8543-aab9be5c8770", + "realm" : "master", + "displayName" : "Keycloak", + "displayNameHtml" : "
Keycloak
", + "notBefore" : 0, + "defaultSignatureAlgorithm" : "RS256", + "revokeRefreshToken" : false, + "refreshTokenMaxReuse" : 0, + "accessTokenLifespan" : 60, + "accessTokenLifespanForImplicitFlow" : 900, + "ssoSessionIdleTimeout" : 1800, + "ssoSessionMaxLifespan" : 36000, + "ssoSessionIdleTimeoutRememberMe" : 0, + "ssoSessionMaxLifespanRememberMe" : 0, + "offlineSessionIdleTimeout" : 2592000, + "offlineSessionMaxLifespanEnabled" : false, + "offlineSessionMaxLifespan" : 5184000, + "clientSessionIdleTimeout" : 0, + "clientSessionMaxLifespan" : 0, + "clientOfflineSessionIdleTimeout" : 0, + "clientOfflineSessionMaxLifespan" : 0, + "accessCodeLifespan" : 60, + "accessCodeLifespanUserAction" : 300, + "accessCodeLifespanLogin" : 1800, + "actionTokenGeneratedByAdminLifespan" : 43200, + "actionTokenGeneratedByUserLifespan" : 300, + "oauth2DeviceCodeLifespan" : 600, + "oauth2DevicePollingInterval" : 5, + "enabled" : true, + "sslRequired" : "external", + "registrationAllowed" : false, + "registrationEmailAsUsername" : false, + "rememberMe" : false, + "verifyEmail" : false, + "loginWithEmailAllowed" : true, + "duplicateEmailsAllowed" : false, + "resetPasswordAllowed" : false, + "editUsernameAllowed" : false, + "bruteForceProtected" : false, + "permanentLockout" : false, + "maxTemporaryLockouts" : 0, + "maxFailureWaitSeconds" : 900, + "minimumQuickLoginWaitSeconds" : 60, + "waitIncrementSeconds" : 60, + "quickLoginCheckMilliSeconds" : 1000, + "maxDeltaTimeSeconds" : 43200, + "failureFactor" : 30, + "roles" : { + "realm" : [ { + "id" : "2d17c8ae-3af1-4c17-892c-394b5dfffb8c", + "name" : "uma_authorization", + "description" : "${role_uma_authorization}", + "composite" : false, + "clientRole" : false, + "containerId" : "55629008-ce2b-4083-8543-aab9be5c8770", + "attributes" : { } + }, { + "id" : "b6f32281-43f1-4c5c-9175-a33c0b098198", + "name" : "offline_access", + "description" : "${role_offline-access}", + "composite" : false, + "clientRole" : false, + "containerId" : "55629008-ce2b-4083-8543-aab9be5c8770", + "attributes" : { } + }, { + "id" : "6c3542f4-d34e-46c1-82c5-550fb579a747", + "name" : "create-realm", + "description" : "${role_create-realm}", + "composite" : false, + "clientRole" : false, + "containerId" : "55629008-ce2b-4083-8543-aab9be5c8770", + "attributes" : { } + }, { + "id" : "305c2c19-794e-49af-973c-b634e0f80e7f", + "name" : "admin", + "description" : "${role_admin}", + "composite" : true, + "composites" : { + "realm" : [ "create-realm" ], + "client" : { + "master-realm" : [ "query-users", "create-client", "query-clients", "view-identity-providers", "query-groups", "manage-authorization", "manage-identity-providers", "impersonation", "manage-users", "view-realm", "manage-events", "manage-realm", "query-realms", "view-authorization", "manage-clients", "view-events", "view-users", "view-clients" ] + } + }, + "clientRole" : false, + "containerId" : "55629008-ce2b-4083-8543-aab9be5c8770", + "attributes" : { } + }, { + "id" : "3dab2fbc-247f-4615-a0fe-f89c382f1c61", + "name" : "default-roles-master", + "description" : "${role_default-roles}", + "composite" : true, + "composites" : { + "realm" : [ "offline_access", "uma_authorization" ], + "client" : { + "account" : [ "manage-account", "view-profile" ] + } + }, + "clientRole" : false, + "containerId" : "55629008-ce2b-4083-8543-aab9be5c8770", + "attributes" : { } + } ], + "client" : { + "security-admin-console" : [ ], + "admin-cli" : [ ], + "account-console" : [ ], + "broker" : [ { + "id" : "3d6c30c9-4196-490f-8861-18a520071589", + "name" : "read-token", + "description" : "${role_read-token}", + "composite" : false, + "clientRole" : true, + "containerId" : "fc8c7b1a-a320-47c3-941c-b2f2526bbb1c", + "attributes" : { } + } ], + "master-realm" : [ { + "id" : "a8637f4c-dae7-4edf-b7cd-3b9bcb54b14b", + "name" : "query-users", + "description" : "${role_query-users}", + "composite" : false, + "clientRole" : true, + "containerId" : "2e87bbcd-3d6d-4e09-8115-9e5f45b96c87", + "attributes" : { } + }, { + "id" : "87eb352d-2784-47aa-8587-228cb3c3b389", + "name" : "create-client", + "description" : "${role_create-client}", + "composite" : false, + "clientRole" : true, + "containerId" : "2e87bbcd-3d6d-4e09-8115-9e5f45b96c87", + "attributes" : { } + }, { + "id" : "4dd68b4c-4f66-411f-95af-1468b0061dc6", + "name" : "query-clients", + "description" : "${role_query-clients}", + "composite" : false, + "clientRole" : true, + "containerId" : "2e87bbcd-3d6d-4e09-8115-9e5f45b96c87", + "attributes" : { } + }, { + "id" : "52d635b5-0654-4ddd-82c7-1462cd0f6348", + "name" : "view-identity-providers", + "description" : "${role_view-identity-providers}", + "composite" : false, + "clientRole" : true, + "containerId" : "2e87bbcd-3d6d-4e09-8115-9e5f45b96c87", + "attributes" : { } + }, { + "id" : "b4209cfd-e1c6-43d8-917e-a822ec23a4de", + "name" : "query-groups", + "description" : "${role_query-groups}", + "composite" : false, + "clientRole" : true, + "containerId" : "2e87bbcd-3d6d-4e09-8115-9e5f45b96c87", + "attributes" : { } + }, { + "id" : "15c8fec9-1610-4ee0-8402-ef7e123e789f", + "name" : "manage-authorization", + "description" : "${role_manage-authorization}", + "composite" : false, + "clientRole" : true, + "containerId" : "2e87bbcd-3d6d-4e09-8115-9e5f45b96c87", + "attributes" : { } + }, { + "id" : "6d54aff9-a6a0-4209-bbd1-aac3be464ca0", + "name" : "manage-identity-providers", + "description" : "${role_manage-identity-providers}", + "composite" : false, + "clientRole" : true, + "containerId" : "2e87bbcd-3d6d-4e09-8115-9e5f45b96c87", + "attributes" : { } + }, { + "id" : "30a6d10c-e297-44f8-8c4c-b0dde377ffd0", + "name" : "impersonation", + "description" : "${role_impersonation}", + "composite" : false, + "clientRole" : true, + "containerId" : "2e87bbcd-3d6d-4e09-8115-9e5f45b96c87", + "attributes" : { } + }, { + "id" : "ac2e28ec-7f86-425a-b96c-f9641cd0198e", + "name" : "manage-users", + "description" : "${role_manage-users}", + "composite" : false, + "clientRole" : true, + "containerId" : "2e87bbcd-3d6d-4e09-8115-9e5f45b96c87", + "attributes" : { } + }, { + "id" : "b4cbdffb-4242-481c-92e4-63fcee6456e1", + "name" : "view-realm", + "description" : "${role_view-realm}", + "composite" : false, + "clientRole" : true, + "containerId" : "2e87bbcd-3d6d-4e09-8115-9e5f45b96c87", + "attributes" : { } + }, { + "id" : "84f688fb-4ff5-4761-9813-0ff3853de194", + "name" : "manage-events", + "description" : "${role_manage-events}", + "composite" : false, + "clientRole" : true, + "containerId" : "2e87bbcd-3d6d-4e09-8115-9e5f45b96c87", + "attributes" : { } + }, { + "id" : "a87c1cf9-aeff-49da-ae0d-d9f4868f1483", + "name" : "manage-realm", + "description" : "${role_manage-realm}", + "composite" : false, + "clientRole" : true, + "containerId" : "2e87bbcd-3d6d-4e09-8115-9e5f45b96c87", + "attributes" : { } + }, { + "id" : "1c44abc2-96d1-4bb5-b92d-268590ee2cd9", + "name" : "query-realms", + "description" : "${role_query-realms}", + "composite" : false, + "clientRole" : true, + "containerId" : "2e87bbcd-3d6d-4e09-8115-9e5f45b96c87", + "attributes" : { } + }, { + "id" : "901b6ece-ce03-4bfe-8bd6-4402c04128be", + "name" : "manage-clients", + "description" : "${role_manage-clients}", + "composite" : false, + "clientRole" : true, + "containerId" : "2e87bbcd-3d6d-4e09-8115-9e5f45b96c87", + "attributes" : { } + }, { + "id" : "31774f68-8358-424b-8f7f-33056491eb91", + "name" : "view-authorization", + "description" : "${role_view-authorization}", + "composite" : false, + "clientRole" : true, + "containerId" : "2e87bbcd-3d6d-4e09-8115-9e5f45b96c87", + "attributes" : { } + }, { + "id" : "a595b1f3-6971-4299-a8f4-c45f37b300f9", + "name" : "view-events", + "description" : "${role_view-events}", + "composite" : false, + "clientRole" : true, + "containerId" : "2e87bbcd-3d6d-4e09-8115-9e5f45b96c87", + "attributes" : { } + }, { + "id" : "477a4a7c-d685-4fab-916e-ba4e81d8a5d3", + "name" : "view-users", + "description" : "${role_view-users}", + "composite" : true, + "composites" : { + "client" : { + "master-realm" : [ "query-users", "query-groups" ] + } + }, + "clientRole" : true, + "containerId" : "2e87bbcd-3d6d-4e09-8115-9e5f45b96c87", + "attributes" : { } + }, { + "id" : "ca550468-dabe-440b-993a-cdbaafcf3ba3", + "name" : "view-clients", + "description" : "${role_view-clients}", + "composite" : true, + "composites" : { + "client" : { + "master-realm" : [ "query-clients" ] + } + }, + "clientRole" : true, + "containerId" : "2e87bbcd-3d6d-4e09-8115-9e5f45b96c87", + "attributes" : { } + } ], + "account" : [ { + "id" : "61a4806b-24fe-4fb6-ade8-ae4297c9eb0e", + "name" : "manage-account-links", + "description" : "${role_manage-account-links}", + "composite" : false, + "clientRole" : true, + "containerId" : "35b8eef9-8716-4907-be74-94dd7310e79d", + "attributes" : { } + }, { + "id" : "f967a9a9-239e-46c0-ad99-a02461fe8ba3", + "name" : "delete-account", + "description" : "${role_delete-account}", + "composite" : false, + "clientRole" : true, + "containerId" : "35b8eef9-8716-4907-be74-94dd7310e79d", + "attributes" : { } + }, { + "id" : "83b4bbe3-3590-4bab-9000-40c30cd74b8a", + "name" : "manage-account", + "description" : "${role_manage-account}", + "composite" : true, + "composites" : { + "client" : { + "account" : [ "manage-account-links" ] + } + }, + "clientRole" : true, + "containerId" : "35b8eef9-8716-4907-be74-94dd7310e79d", + "attributes" : { } + }, { + "id" : "05423878-1b36-4acd-be69-deb4d84a6d88", + "name" : "view-applications", + "description" : "${role_view-applications}", + "composite" : false, + "clientRole" : true, + "containerId" : "35b8eef9-8716-4907-be74-94dd7310e79d", + "attributes" : { } + }, { + "id" : "895bf952-95c3-4399-a9cc-c0267dd85615", + "name" : "view-consent", + "description" : "${role_view-consent}", + "composite" : false, + "clientRole" : true, + "containerId" : "35b8eef9-8716-4907-be74-94dd7310e79d", + "attributes" : { } + }, { + "id" : "65a7eff2-0043-408a-b0a8-11240b65af3b", + "name" : "view-groups", + "description" : "${role_view-groups}", + "composite" : false, + "clientRole" : true, + "containerId" : "35b8eef9-8716-4907-be74-94dd7310e79d", + "attributes" : { } + }, { + "id" : "8dec7ad0-523e-437f-8719-6430a9dfc5ba", + "name" : "view-profile", + "description" : "${role_view-profile}", + "composite" : false, + "clientRole" : true, + "containerId" : "35b8eef9-8716-4907-be74-94dd7310e79d", + "attributes" : { } + }, { + "id" : "9338a13f-baeb-44a5-a45c-140508cebcbf", + "name" : "manage-consent", + "description" : "${role_manage-consent}", + "composite" : true, + "composites" : { + "client" : { + "account" : [ "view-consent" ] + } + }, + "clientRole" : true, + "containerId" : "35b8eef9-8716-4907-be74-94dd7310e79d", + "attributes" : { } + } ] + } + }, + "groups" : [ ], + "defaultRole" : { + "id" : "3dab2fbc-247f-4615-a0fe-f89c382f1c61", + "name" : "default-roles-master", + "description" : "${role_default-roles}", + "composite" : true, + "clientRole" : false, + "containerId" : "55629008-ce2b-4083-8543-aab9be5c8770" + }, + "requiredCredentials" : [ "password" ], + "otpPolicyType" : "totp", + "otpPolicyAlgorithm" : "HmacSHA1", + "otpPolicyInitialCounter" : 0, + "otpPolicyDigits" : 6, + "otpPolicyLookAheadWindow" : 1, + "otpPolicyPeriod" : 30, + "otpPolicyCodeReusable" : false, + "otpSupportedApplications" : [ "totpAppFreeOTPName", "totpAppGoogleName", "totpAppMicrosoftAuthenticatorName" ], + "localizationTexts" : { }, + "webAuthnPolicyRpEntityName" : "keycloak", + "webAuthnPolicySignatureAlgorithms" : [ "ES256" ], + "webAuthnPolicyRpId" : "", + "webAuthnPolicyAttestationConveyancePreference" : "not specified", + "webAuthnPolicyAuthenticatorAttachment" : "not specified", + "webAuthnPolicyRequireResidentKey" : "not specified", + "webAuthnPolicyUserVerificationRequirement" : "not specified", + "webAuthnPolicyCreateTimeout" : 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister" : false, + "webAuthnPolicyAcceptableAaguids" : [ ], + "webAuthnPolicyExtraOrigins" : [ ], + "webAuthnPolicyPasswordlessRpEntityName" : "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms" : [ "ES256" ], + "webAuthnPolicyPasswordlessRpId" : "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference" : "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment" : "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey" : "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement" : "not specified", + "webAuthnPolicyPasswordlessCreateTimeout" : 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister" : false, + "webAuthnPolicyPasswordlessAcceptableAaguids" : [ ], + "webAuthnPolicyPasswordlessExtraOrigins" : [ ], + "scopeMappings" : [ { + "clientScope" : "offline_access", + "roles" : [ "offline_access" ] + } ], + "clientScopeMappings" : { + "account" : [ { + "client" : "account-console", + "roles" : [ "manage-account", "view-groups" ] + } ] + }, + "clients" : [ { + "id" : "35b8eef9-8716-4907-be74-94dd7310e79d", + "clientId" : "account", + "name" : "${client_account}", + "rootUrl" : "${authBaseUrl}", + "baseUrl" : "/realms/master/account/", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ "/realms/master/account/*" ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "post.logout.redirect.uris" : "+" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "basic", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "acc8caf3-a610-45cd-b2f1-ce4245274289", + "clientId" : "account-console", + "name" : "${client_account-console}", + "rootUrl" : "${authBaseUrl}", + "baseUrl" : "/realms/master/account/", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ "/realms/master/account/*" ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "post.logout.redirect.uris" : "+", + "pkce.code.challenge.method" : "S256" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "protocolMappers" : [ { + "id" : "d137a637-7423-4f2c-86ef-0e158a3ce338", + "name" : "audience resolve", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-audience-resolve-mapper", + "consentRequired" : false, + "config" : { } + } ], + "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "basic", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "5f39526a-b61e-496b-b08e-609cc0357a9b", + "clientId" : "admin-cli", + "name" : "${client_admin-cli}", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : false, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : true, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "basic", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "fc8c7b1a-a320-47c3-941c-b2f2526bbb1c", + "clientId" : "broker", + "name" : "${client_broker}", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : true, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "basic", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "2e87bbcd-3d6d-4e09-8115-9e5f45b96c87", + "clientId" : "master-realm", + "name" : "master Realm", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : true, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "basic", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "f62d771b-69ba-4fb6-a438-38dd828a820f", + "clientId" : "security-admin-console", + "name" : "${client_security-admin-console}", + "rootUrl" : "${authAdminUrl}", + "baseUrl" : "/admin/master/console/", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "redirectUris" : [ "/admin/master/console/*" ], + "webOrigins" : [ "+" ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "post.logout.redirect.uris" : "+", + "pkce.code.challenge.method" : "S256" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "protocolMappers" : [ { + "id" : "c7fc85a2-9902-4141-9292-198e38482be9", + "name" : "locale", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "introspection.token.claim" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "locale", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "locale", + "jsonType.label" : "String" + } + } ], + "defaultClientScopes" : [ "web-origins", "acr", "roles", "profile", "basic", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + } ], + "clientScopes" : [ { + "id" : "2d20ac87-c4c9-4669-8817-72d762740765", + "name" : "offline_access", + "description" : "OpenID Connect built-in scope: offline_access", + "protocol" : "openid-connect", + "attributes" : { + "consent.screen.text" : "${offlineAccessScopeConsentText}", + "display.on.consent.screen" : "true" + } + }, { + "id" : "c971abb0-a8e4-4f02-912a-225cfcd9b459", + "name" : "acr", + "description" : "OpenID Connect scope for add acr (authentication context class reference) to the token", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "false", + "display.on.consent.screen" : "false" + }, + "protocolMappers" : [ { + "id" : "7ee61ec6-ad2a-475b-9a24-85d3c2e7cb3c", + "name" : "acr loa level", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-acr-mapper", + "consentRequired" : false, + "config" : { + "id.token.claim" : "true", + "introspection.token.claim" : "true", + "access.token.claim" : "true" + } + } ] + }, { + "id" : "9ad8bb00-9914-40d3-b5d7-5d8291e9e443", + "name" : "roles", + "description" : "OpenID Connect scope for add user roles to the access token", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "false", + "consent.screen.text" : "${rolesScopeConsentText}", + "display.on.consent.screen" : "true" + }, + "protocolMappers" : [ { + "id" : "4de0a385-cbf0-469f-9a5f-392c05c82140", + "name" : "client roles", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-client-role-mapper", + "consentRequired" : false, + "config" : { + "user.attribute" : "foo", + "introspection.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "resource_access.${client_id}.roles", + "jsonType.label" : "String", + "multivalued" : "true" + } + }, { + "id" : "6243d0e8-3408-4ddb-abfc-11b695e7b2d0", + "name" : "realm roles", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-realm-role-mapper", + "consentRequired" : false, + "config" : { + "user.attribute" : "foo", + "introspection.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "realm_access.roles", + "jsonType.label" : "String", + "multivalued" : "true" + } + }, { + "id" : "6acd19c0-2966-4b14-b3a3-23d12f93a57a", + "name" : "audience resolve", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-audience-resolve-mapper", + "consentRequired" : false, + "config" : { + "introspection.token.claim" : "true", + "access.token.claim" : "true" + } + } ] + }, { + "id" : "94ca65f7-c8e1-4e9d-9047-a75eba57f74b", + "name" : "role_list", + "description" : "SAML role list", + "protocol" : "saml", + "attributes" : { + "consent.screen.text" : "${samlRoleListScopeConsentText}", + "display.on.consent.screen" : "true" + }, + "protocolMappers" : [ { + "id" : "62962673-ce81-4253-87b4-7f46a3afd696", + "name" : "role list", + "protocol" : "saml", + "protocolMapper" : "saml-role-list-mapper", + "consentRequired" : false, + "config" : { + "single" : "false", + "attribute.nameformat" : "Basic", + "attribute.name" : "Role" + } + } ] + }, { + "id" : "cdf4b8ff-6935-4913-afb7-1837731701f3", + "name" : "email", + "description" : "OpenID Connect built-in scope: email", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "consent.screen.text" : "${emailScopeConsentText}", + "display.on.consent.screen" : "true" + }, + "protocolMappers" : [ { + "id" : "b3338a00-7e5a-4fbd-aee1-bff1f817007d", + "name" : "email verified", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "introspection.token.claim" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "emailVerified", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "email_verified", + "jsonType.label" : "boolean" + } + }, { + "id" : "1783cd75-645d-4f2b-a48c-bf2f6d707262", + "name" : "email", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "introspection.token.claim" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "email", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "email", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "46405ff1-0e62-4222-8f33-4627072f3b26", + "name" : "web-origins", + "description" : "OpenID Connect scope for add allowed web origins to the access token", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "false", + "consent.screen.text" : "", + "display.on.consent.screen" : "false" + }, + "protocolMappers" : [ { + "id" : "b50eff38-2442-42f7-aef2-3e01effa005a", + "name" : "allowed web origins", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-allowed-origins-mapper", + "consentRequired" : false, + "config" : { + "introspection.token.claim" : "true", + "access.token.claim" : "true" + } + } ] + }, { + "id" : "06f6c19f-6045-4647-92da-a9cd0497a4f8", + "name" : "basic", + "description" : "OpenID Connect scope for add all basic claims to the token", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "false", + "display.on.consent.screen" : "false" + }, + "protocolMappers" : [ { + "id" : "838ea479-de74-4cd3-8e9c-21f42b3b1b46", + "name" : "auth_time", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usersessionmodel-note-mapper", + "consentRequired" : false, + "config" : { + "user.session.note" : "AUTH_TIME", + "id.token.claim" : "true", + "introspection.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "auth_time", + "jsonType.label" : "long" + } + }, { + "id" : "a8fa5167-2d4b-4be3-aefd-1cd42d3abbc3", + "name" : "sub", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-sub-mapper", + "consentRequired" : false, + "config" : { + "introspection.token.claim" : "true", + "access.token.claim" : "true" + } + } ] + }, { + "id" : "3f45efd8-d12b-4a45-b8f7-9f7cec39039f", + "name" : "microprofile-jwt", + "description" : "Microprofile - JWT built-in scope", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "false" + }, + "protocolMappers" : [ { + "id" : "cf4f3daf-4f05-46f5-bed7-6de6fc3a588a", + "name" : "groups", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-realm-role-mapper", + "consentRequired" : false, + "config" : { + "introspection.token.claim" : "true", + "multivalued" : "true", + "user.attribute" : "foo", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "groups", + "jsonType.label" : "String" + } + }, { + "id" : "83afe61e-c2d6-45ad-b3bb-6f1e76dfb1ce", + "name" : "upn", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "introspection.token.claim" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "username", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "upn", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "b39d8d21-3b25-4817-a9e7-67f8e059d5a7", + "name" : "address", + "description" : "OpenID Connect built-in scope: address", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "consent.screen.text" : "${addressScopeConsentText}", + "display.on.consent.screen" : "true" + }, + "protocolMappers" : [ { + "id" : "5d68a21b-a4b2-4a36-a97b-d342324a7b2c", + "name" : "address", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-address-mapper", + "consentRequired" : false, + "config" : { + "user.attribute.formatted" : "formatted", + "user.attribute.country" : "country", + "introspection.token.claim" : "true", + "user.attribute.postal_code" : "postal_code", + "userinfo.token.claim" : "true", + "user.attribute.street" : "street", + "id.token.claim" : "true", + "user.attribute.region" : "region", + "access.token.claim" : "true", + "user.attribute.locality" : "locality" + } + } ] + }, { + "id" : "916bb27b-3294-4881-b301-14dd75538a71", + "name" : "profile", + "description" : "OpenID Connect built-in scope: profile", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "consent.screen.text" : "${profileScopeConsentText}", + "display.on.consent.screen" : "true" + }, + "protocolMappers" : [ { + "id" : "62e2c9bc-fb68-43dd-9f14-fd1efd689b86", + "name" : "family name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "introspection.token.claim" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "lastName", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "family_name", + "jsonType.label" : "String" + } + }, { + "id" : "b48b6d86-81cb-4608-8809-17b38c6480a8", + "name" : "zoneinfo", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "introspection.token.claim" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "zoneinfo", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "zoneinfo", + "jsonType.label" : "String" + } + }, { + "id" : "3456d440-c1c4-4cb4-951a-39a0728506d0", + "name" : "nickname", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "introspection.token.claim" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "nickname", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "nickname", + "jsonType.label" : "String" + } + }, { + "id" : "c9c4d8b0-a041-4ecf-b23e-42f3b2694e26", + "name" : "profile", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "introspection.token.claim" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "profile", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "profile", + "jsonType.label" : "String" + } + }, { + "id" : "16a90a31-a90f-4c0a-85ce-04bceca33f0a", + "name" : "picture", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "introspection.token.claim" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "picture", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "picture", + "jsonType.label" : "String" + } + }, { + "id" : "522bd07d-8996-4b9d-8e58-6a8ebbfdeef7", + "name" : "middle name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "introspection.token.claim" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "middleName", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "middle_name", + "jsonType.label" : "String" + } + }, { + "id" : "5458c27e-5edd-4bfa-90f7-7153cb0f8e03", + "name" : "locale", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "introspection.token.claim" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "locale", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "locale", + "jsonType.label" : "String" + } + }, { + "id" : "5754217d-7b38-4e40-bad6-c80e94f638c3", + "name" : "given name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "introspection.token.claim" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "firstName", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "given_name", + "jsonType.label" : "String" + } + }, { + "id" : "b801307d-ed2c-4cef-96f2-1e598520b3d5", + "name" : "full name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-full-name-mapper", + "consentRequired" : false, + "config" : { + "id.token.claim" : "true", + "introspection.token.claim" : "true", + "access.token.claim" : "true", + "userinfo.token.claim" : "true" + } + }, { + "id" : "0c9d3061-9e9d-4f67-9e24-03d6d5c30ceb", + "name" : "birthdate", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "introspection.token.claim" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "birthdate", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "birthdate", + "jsonType.label" : "String" + } + }, { + "id" : "9f451040-74c5-4c2a-97e7-2f9445340b5c", + "name" : "username", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "introspection.token.claim" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "username", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "preferred_username", + "jsonType.label" : "String" + } + }, { + "id" : "9b4231f0-e0ed-49c5-97f9-d1420b5642fb", + "name" : "updated at", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "introspection.token.claim" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "updatedAt", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "updated_at", + "jsonType.label" : "long" + } + }, { + "id" : "d9870bab-1f80-4f4a-b3f8-967653dc30c1", + "name" : "website", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "introspection.token.claim" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "website", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "website", + "jsonType.label" : "String" + } + }, { + "id" : "4651b46f-49d0-4e32-84ca-26fc14b6d583", + "name" : "gender", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "introspection.token.claim" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "gender", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "gender", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "2c886135-ef41-45ca-ba5e-096908a7fabd", + "name" : "phone", + "description" : "OpenID Connect built-in scope: phone", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "consent.screen.text" : "${phoneScopeConsentText}", + "display.on.consent.screen" : "true" + }, + "protocolMappers" : [ { + "id" : "226d6df9-bd98-497b-a50a-5fb47900b3d2", + "name" : "phone number verified", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "introspection.token.claim" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "phoneNumberVerified", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "phone_number_verified", + "jsonType.label" : "boolean" + } + }, { + "id" : "d0a583c1-2b9d-4104-b680-97a508d9bfc3", + "name" : "phone number", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "introspection.token.claim" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "phoneNumber", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "phone_number", + "jsonType.label" : "String" + } + } ] + } ], + "defaultDefaultClientScopes" : [ "role_list", "profile", "email", "roles", "web-origins", "acr", "basic" ], + "defaultOptionalClientScopes" : [ "offline_access", "address", "phone", "microprofile-jwt" ], + "browserSecurityHeaders" : { + "contentSecurityPolicyReportOnly" : "", + "xContentTypeOptions" : "nosniff", + "referrerPolicy" : "no-referrer", + "xRobotsTag" : "none", + "xFrameOptions" : "SAMEORIGIN", + "xXSSProtection" : "1; mode=block", + "contentSecurityPolicy" : "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "strictTransportSecurity" : "max-age=31536000; includeSubDomains" + }, + "smtpServer" : { }, + "eventsEnabled" : false, + "eventsListeners" : [ "jboss-logging" ], + "enabledEventTypes" : [ ], + "adminEventsEnabled" : false, + "adminEventsDetailsEnabled" : false, + "identityProviders" : [ ], + "identityProviderMappers" : [ ], + "components" : { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy" : [ { + "id" : "87057623-2bae-4d00-b2b5-3a51a77575cf", + "name" : "Max Clients Limit", + "providerId" : "max-clients", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "max-clients" : [ "200" ] + } + }, { + "id" : "05f11c22-2fb9-4fcd-a1e1-0ded5b9de360", + "name" : "Allowed Client Scopes", + "providerId" : "allowed-client-templates", + "subType" : "authenticated", + "subComponents" : { }, + "config" : { + "allow-default-scopes" : [ "true" ] + } + }, { + "id" : "da12dadc-2535-4ad5-86e1-d1ef956a0364", + "name" : "Allowed Client Scopes", + "providerId" : "allowed-client-templates", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "allow-default-scopes" : [ "true" ] + } + }, { + "id" : "5cc8d47e-038c-4532-a180-7a9a8cd24414", + "name" : "Allowed Protocol Mapper Types", + "providerId" : "allowed-protocol-mappers", + "subType" : "authenticated", + "subComponents" : { }, + "config" : { + "allowed-protocol-mapper-types" : [ "oidc-sha256-pairwise-sub-mapper", "saml-user-attribute-mapper", "oidc-usermodel-attribute-mapper", "oidc-usermodel-property-mapper", "oidc-address-mapper", "oidc-full-name-mapper", "saml-role-list-mapper", "saml-user-property-mapper" ] + } + }, { + "id" : "c5f68155-3167-45c8-9f74-841bf10b1b06", + "name" : "Trusted Hosts", + "providerId" : "trusted-hosts", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "host-sending-registration-request-must-match" : [ "true" ], + "client-uris-must-match" : [ "true" ] + } + }, { + "id" : "cd1ca8c0-a84e-41e0-8274-b361b55ffb73", + "name" : "Consent Required", + "providerId" : "consent-required", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { } + }, { + "id" : "77d72357-68df-434a-8be3-3e38125c7a5b", + "name" : "Full Scope Disabled", + "providerId" : "scope", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { } + }, { + "id" : "d9fbfcdd-60c8-4945-8cf2-66b63d59ab4b", + "name" : "Allowed Protocol Mapper Types", + "providerId" : "allowed-protocol-mappers", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "allowed-protocol-mapper-types" : [ "saml-user-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-full-name-mapper", "oidc-address-mapper", "oidc-usermodel-attribute-mapper", "saml-user-property-mapper", "oidc-usermodel-property-mapper", "saml-role-list-mapper" ] + } + } ], + "org.keycloak.userprofile.UserProfileProvider" : [ { + "id" : "94e6d532-7947-4f4d-a299-bb8ba6abbfbd", + "providerId" : "declarative-user-profile", + "subComponents" : { }, + "config" : { + "kc.user.profile.config" : [ "{\"attributes\":[{\"name\":\"username\",\"displayName\":\"${username}\",\"validations\":{\"length\":{\"min\":3,\"max\":255},\"username-prohibited-characters\":{},\"up-username-not-idn-homograph\":{}},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"email\",\"displayName\":\"${email}\",\"validations\":{\"email\":{},\"length\":{\"max\":255}},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"firstName\",\"displayName\":\"${firstName}\",\"validations\":{\"length\":{\"max\":255},\"person-name-prohibited-characters\":{}},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"lastName\",\"displayName\":\"${lastName}\",\"validations\":{\"length\":{\"max\":255},\"person-name-prohibited-characters\":{}},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false}],\"groups\":[{\"name\":\"user-metadata\",\"displayHeader\":\"User metadata\",\"displayDescription\":\"Attributes, which refer to user metadata\"}]}" ] + } + } ], + "org.keycloak.keys.KeyProvider" : [ { + "id" : "e30b9bb6-81cf-4924-9c4c-6e8ca8422bf4", + "name" : "hmac-generated-hs512", + "providerId" : "hmac-generated", + "subComponents" : { }, + "config" : { + "kid" : [ "20ae767e-f05d-41af-bf73-3de8f7b88150" ], + "secret" : [ "qIK-SLxIZhBtMbvp1WK6SdDwy5iFPO2NPQoShzdwE324Vlb4tzD5l5XTK6-23nDycjeZ3FV_jT0VQzUzD_yl4yKwe6bDMQJKKUW1uUe0zITSrYoEMxrLzVUO0tnKHVc62GuDJI8ejkg_qQuUOV2DhUdxuukaHCRdsXp6h5PSQKc" ], + "priority" : [ "100" ], + "algorithm" : [ "HS512" ] + } + }, { + "id" : "22177e0b-0bf0-494d-a1c1-23acfc99f87b", + "name" : "aes-generated", + "providerId" : "aes-generated", + "subComponents" : { }, + "config" : { + "kid" : [ "7ed63787-e3ff-4485-bce2-ae75ce554674" ], + "secret" : [ "VH4-cDoW7bSHGmmrLwHB-A" ], + "priority" : [ "100" ] + } + }, { + "id" : "8ac14947-ed9f-4f23-bc61-fee97a322fae", + "name" : "rsa-generated", + "providerId" : "rsa-generated", + "subComponents" : { }, + "config" : { + "privateKey" : [ "MIIEpAIBAAKCAQEAxPUr2W2/HjVHzYG4QTHT2h2YJEfXtQd/YkfXPtlhKgSPOKiKbsyJHek3ZvgoMwNkNj6EdB85DboIWlEkZUd6BD7EU98DjaIGfK1U2oqiRM6VA8W0SN+on+mkhUge8hDRC45yaTibc8ngzDzFj6W0zdGS5+HULGtNBO5kxzr3Iq3mSlHMvTBW/EHxeDThBOrUbwcf6CE7oY01xKjsid8H3ujHTqG63WWmF4nycfnxgzwo1bNspmBLkUVXN5x5p2WZxMkV3bPJ3XRZsNcKnrXbnvLV3RRSHx96nYMSHncyyZv/emhiRey0au3X4uCWh944O6VQQgG1tBMTA1ruNZ+7yQIDAQABAoIBAAY1Geww3sijcj9iWr3HRb+GlkByeTRt55Bf5kNHU54g5aip+y7xyFKGgqX+pTmyXiqtfrwwLbqmhdPe4dBFV+2hUsu36CNDG4Q7bES1ANc9UYn8Zam0Ttq3YOWId902NXhxRV7Wl2OnVavqMGnOFaw08jXXsrmxqgxBPTDgRWC03x/tI/qSsPP/zj4QfcmIFBjjXyg6+07z07kILBI+0pJNuk0wodA2KyD7FuakLgbgQxHM0tB9ob/cuOY11REuQuis8MN0pdP2GEttWxcDhhVlEGuQu+Em5tnxKfM3Z8Q2nJfyCYhBhSvBRNCqVFMp/TSNn9ncw0m3lWbIgVCsFYcCgYEA/LVvUwg30yWbDiqmuPClCpKFfjzQgaHQ/vSvU89xdDj7A6rjKig8MXB2EXk4XN/V66ZcTt4Q041ICY4yGWlfCdxqcaaAjL/iHOKc6/1Wg2LycAsRlC0jejaCHMDdPYNsgbS1DiswZoiB06/wDmhqkRjo60ILRmWTPgyzWcFUvDMCgYEAx4Xa3WQUBtIItZW4z4VC7ALetJ6YHJomGZRvNCkO+HVeadrIS1HzELzdPEmeHNeqqUD0AukJmSuncR4D54WvS+8Ux7zRyTebv87zuBXc4oAmmC+w4sUVOR/r9r5qzPqI4GwTMxmNNzsrzmqx8Vl6q/bR6P+jf+rOBh9heqcPLBMCgYAEywAoiABfDdiKBT8SROYsdCj6AvdFbidDnqpwoX+aX7ZLFIOoegjiOyrSHAV4pXouNQKNMGMLUCOsorjKiJgX3MlcDHdltAH64EVvqGdqqIbGnz8fG1gP6la/at0HXKXDNAU3FpSdbTthI3YfH9XdmKZaR+9kz2pig+Um76bGxwKBgQCPasP7x2gtzuO7wrdpU5zbEOUMZ8NnK9afJHcawzijl5oZ9M1sdqeFLHzKTRB+IvflWW8MeH4Rv7NIOA8OaKWsq1oAiNUzEem+YgAGHpD7rqoPUpiPKKMswKlYX19dn+iriIP0gzVisgG3CjKGDY+D9JLGLJtV423cMMpc46CgSQKBgQC7qB0JWkQVWMvYmXCJugggZ7ywN6pbpWJHmTIHWcfT9KO2xi6YSBV0Jc7RwiCmci71qUfr8leAW9HVEES50eMv2Ney+jPmJXwkTYI9/EJGQpO8AUiEpElGpxB0ZvGf3CCFZ0+W5xB2ZYA78+y/Zbx+TrWNzq3HTTL3nxWUbifpxw==" ], + "keyUse" : [ "SIG" ], + "certificate" : [ "MIICmzCCAYMCBgGSDEPEojANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjQwOTE5MjE0ODQwWhcNMzQwOTE5MjE1MDIwWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDE9SvZbb8eNUfNgbhBMdPaHZgkR9e1B39iR9c+2WEqBI84qIpuzIkd6Tdm+CgzA2Q2PoR0HzkNughaUSRlR3oEPsRT3wONogZ8rVTaiqJEzpUDxbRI36if6aSFSB7yENELjnJpOJtzyeDMPMWPpbTN0ZLn4dQsa00E7mTHOvcireZKUcy9MFb8QfF4NOEE6tRvBx/oITuhjTXEqOyJ3wfe6MdOobrdZaYXifJx+fGDPCjVs2ymYEuRRVc3nHmnZZnEyRXds8nddFmw1wqetdue8tXdFFIfH3qdgxIedzLJm/96aGJF7LRq7dfi4JaH3jg7pVBCAbW0ExMDWu41n7vJAgMBAAEwDQYJKoZIhvcNAQELBQADggEBABd7Xf3EmGEfGiXKSQeWeuQsvogVcaIp9qHcCxHbkABGgSL+I04wAcigLsV774eMTWlwugjet/u4SE5NN+vh0rXdcKsd3o6co4BkA7GzN0vyCVN8sIKtwnu6wzl66ukqhbLiZwUapa7Dbz+kHJha7rpKkOF5i2p05x9+40eQpgP/vGgfuQuWW3BPMPJeG6Mihj11kATWCIEogAWDwcY69MC6zsMsysAP+gxa9R5HkyvA9xsy7J1odo9MNRPUGvrooehBD9StkG3vljf2hSiflhkXI9SLKpWGsrZf9uVzZMI2NEpe6M541YtFAiZID3GlbQ0R51kD2yMgy0mITeLMpHs=" ], + "priority" : [ "100" ] + } + }, { + "id" : "86cc40cb-4918-419f-832f-20eb0b7b71ac", + "name" : "rsa-enc-generated", + "providerId" : "rsa-enc-generated", + "subComponents" : { }, + "config" : { + "privateKey" : [ "MIIEpQIBAAKCAQEA4W5uNBxDjiYxBlU/i+tSUl+mDDtGzwYoM1HbEu2SynzdvsUp8jNdvAiSOw53DMz2sfjo0FYo6p2nlCVUwcMm4CseURBsvkdqf5anXkxkPWQ/vUfrb53w68XZ/yElv77MxOzzH6kv1USg7WgO15LULoK32UNk+ppNYqfXlH9v8aCYyFnI8Q35G1tR5PPqKcgI6Zuvr+WK6DjATe0Ce+jqpJ1yV7uDIrR1W6ChIAdaOrU7h+rVyLxRg4Vc32N+X8UT1EQIj2ns5Txy7cCLmW3rT1dHbzat4LKl6WuXNMm/WtkswaSzWMrqsOwKr/cwxRj6JZtyLEF0wei9ss9YS/P0uwIDAQABAoIBABFuxL7q4J6BfZELzpo3XGpaUzDm9JbV1w4A6nwQOyXFejBidtfv+POthgFjIPmwb/NbWEWkJA3gmzDtohxJxxvWucVzC7W7OBUdxVuZdLb6paMxiJddE2BoMG92VMD7NEKWQEbWgohvgjJZtaweAqKGIUl/2LM4c3uJlzY4lKOOrpkA+3KaATI2hmtcZuhzr+8JvaZbt1eX4SYCKCC1/uU0vJ7gtsEQ4fjqlWQ93aJYMnO0J5hDXVcyq+/yp+aOvNZvBTbmgyJw92ybMTvvb25wGY2W6/w/R560lK27MixxUdLm6mQrWik8Sbryk6iPslwSs9kP1Z2DxeiP6U57SoECgYEA9Eca78EwUmJRVuEsmLLTXap3bsvFwsz7TcZwUxodKwDWbYu0Csg+H+crsxnDOjljTY7MDfT6T+BniHTlgt1tWgTyvDroGs+VPNsEr9k5XRaf0hqaD3y0IeEw9wJioaB7Mes/5fjejnwZ4lyD2M0GsSRVxSGXqnzh4fP4xCQ9K7ECgYEA7D/NRbXAxJ2S8J1l0IMmWrE3aecV/00vq51YAXjss/YH/Lv/6WmibgOvAROjmdT6Zpptncd8N6heh7S3X3axQ/RM3uxDFOportIlpAdLN6YM7UOdjKbpGt1iQlPzJJ2ziRIp8JP284N/XlAACtQjg5yYuS067iqwnHx5IuKU/isCgYEAuYUrKv1Q4rCyz8XR5eKiblehvy7ZcfnVvhrAggyqLFfFgosAYNP1gqtB4BLn11dwWJ3j0ZHFbVajqtoE2N+sRhrN8zDVyE7xK7e3Fopma5FcLehwKuTttXFei6pvGAtWpPHipJjfBd2wlt7mb4g+1dgfn8jEdAHGV6G/w881+fECgYEA5LJ2si7Z5vtrDUYxE4KCFHVNYVV0c+pyZT0xvmsjKKrY3I3ZlEjQFpO2S+KJExebNsvzpTNBSlfQ+qm0gdNSkqfh6kLoRU0N/X4tNfZhmANErEIyN8A0E++PeQnva9jFvcE5nEyAWQdIuzHSeKkXoAZtyYTBcWEeCr5sPZr+BHUCgYEAiZ2S2J9a71RR5SjbrpzzWFCwg4WksJzBe8oS7xLuA/zPwv2ITBBVZcYhjpHkrO/ZwE+9cP1dorbLus6r/a2vxs4tIbtaLIFoKDHNsIue9XQJObtVE9CbNSqxksp/F4f8Cm4srrdxdGzYz45jxHvOonNC41HYh4wubqycCwXH+Gs=" ], + "keyUse" : [ "ENC" ], + "certificate" : [ "MIICmzCCAYMCBgGSDEPFSDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjQwOTE5MjE0ODQxWhcNMzQwOTE5MjE1MDIxWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDhbm40HEOOJjEGVT+L61JSX6YMO0bPBigzUdsS7ZLKfN2+xSnyM128CJI7DncMzPax+OjQVijqnaeUJVTBwybgKx5REGy+R2p/lqdeTGQ9ZD+9R+tvnfDrxdn/ISW/vszE7PMfqS/VRKDtaA7XktQugrfZQ2T6mk1ip9eUf2/xoJjIWcjxDfkbW1Hk8+opyAjpm6+v5YroOMBN7QJ76OqknXJXu4MitHVboKEgB1o6tTuH6tXIvFGDhVzfY35fxRPURAiPaezlPHLtwIuZbetPV0dvNq3gsqXpa5c0yb9a2SzBpLNYyuqw7Aqv9zDFGPolm3IsQXTB6L2yz1hL8/S7AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAALM8s3LBqBOqVTeDNJNkUJ2OhJk1iTr37F1qNJy+gFIokNzE7FaD7obMBD3hoHnW4pOJEIjfLw2N79lH66lY99M2zxC4jhe/d9yqKxoAhzk5MZyPOUnBR1NqQ/n7qfIE/vfPeNdLhyKV0+6V6fBcimXM0El+PCKag8T4HkiLpLs6MuRVOLlaPwKsXCwr24TWnyhcuTvNFmnIVYtryGyCHvJDApAcvak8HlhKiIiDI1PiEaLgoWbhFHpQQLsSfZ+AH7MTSmlY02BbUSnTtqQLLgKRbL2FWKOztHBRK6+dT1xxmIXiNMncUtvcTx8S4088URHf7CGwsg2goOgFomSGwM=" ], + "priority" : [ "100" ], + "algorithm" : [ "RSA-OAEP" ] + } + } ] + }, + "internationalizationEnabled" : false, + "supportedLocales" : [ ], + "authenticationFlows" : [ { + "id" : "12923561-6b4d-458a-af19-597a0df4222b", + "alias" : "Account verification options", + "description" : "Method with which to verity the existing account", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "idp-email-verification", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "ALTERNATIVE", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "Verify Existing Account by Re-authentication", + "userSetupAllowed" : false + } ] + }, { + "id" : "0741abdd-9046-45e4-9237-2735956a8f67", + "alias" : "Browser - Conditional OTP", + "description" : "Flow to determine if the OTP is required for the authentication", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "auth-otp-form", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "3569f4b2-ebf3-430a-92bd-e3afd3581b39", + "alias" : "Direct Grant - Conditional OTP", + "description" : "Flow to determine if the OTP is required for the authentication", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "direct-grant-validate-otp", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "b063c6d2-033b-409a-a795-78b75451fb5d", + "alias" : "First broker login - Conditional OTP", + "description" : "Flow to determine if the OTP is required for the authentication", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "auth-otp-form", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "ebf694df-ccde-40eb-a048-704583262742", + "alias" : "Handle Existing Account", + "description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "idp-confirm-link", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "Account verification options", + "userSetupAllowed" : false + } ] + }, { + "id" : "2e74c11b-f429-45cc-a5a2-051d23349da1", + "alias" : "Reset - Conditional OTP", + "description" : "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "reset-otp", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "43ca4f2c-b12c-4ab7-b32e-e7ec918f1086", + "alias" : "User creation or linking", + "description" : "Flow for the existing/non-existing user alternatives", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticatorConfig" : "create unique user config", + "authenticator" : "idp-create-user-if-unique", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "ALTERNATIVE", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "Handle Existing Account", + "userSetupAllowed" : false + } ] + }, { + "id" : "bd7aec0f-5e1b-44fb-8214-49e01adb2a92", + "alias" : "Verify Existing Account by Re-authentication", + "description" : "Reauthentication of existing account", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "idp-username-password-form", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "CONDITIONAL", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "First broker login - Conditional OTP", + "userSetupAllowed" : false + } ] + }, { + "id" : "69e1401f-6146-4217-9c78-60de39b77e5b", + "alias" : "browser", + "description" : "browser based authentication", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "auth-cookie", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "auth-spnego", + "authenticatorFlow" : false, + "requirement" : "DISABLED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "identity-provider-redirector", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 25, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "ALTERNATIVE", + "priority" : 30, + "autheticatorFlow" : true, + "flowAlias" : "forms", + "userSetupAllowed" : false + } ] + }, { + "id" : "de753ad3-bf0a-4cb5-8e63-7f1c61cc4ae6", + "alias" : "clients", + "description" : "Base authentication for clients", + "providerId" : "client-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "client-secret", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "client-jwt", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "client-secret-jwt", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 30, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "client-x509", + "authenticatorFlow" : false, + "requirement" : "ALTERNATIVE", + "priority" : 40, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "c266eeec-c725-4c2c-9274-255066b87888", + "alias" : "direct grant", + "description" : "OpenID Connect Resource Owner Grant", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "direct-grant-validate-username", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "direct-grant-validate-password", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "CONDITIONAL", + "priority" : 30, + "autheticatorFlow" : true, + "flowAlias" : "Direct Grant - Conditional OTP", + "userSetupAllowed" : false + } ] + }, { + "id" : "768f995d-942a-491d-9ddd-e30c94ba7f3f", + "alias" : "docker auth", + "description" : "Used by Docker clients to authenticate against the IDP", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "docker-http-basic-authenticator", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "2ad6e90c-e6dc-4bdd-b8e6-2bfaa79f5f7e", + "alias" : "first broker login", + "description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticatorConfig" : "review profile config", + "authenticator" : "idp-review-profile", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "User creation or linking", + "userSetupAllowed" : false + } ] + }, { + "id" : "cde7fa9d-d2fe-4a24-a063-21657ff68666", + "alias" : "forms", + "description" : "Username, password, otp and other auth forms.", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "auth-username-password-form", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "CONDITIONAL", + "priority" : 20, + "autheticatorFlow" : true, + "flowAlias" : "Browser - Conditional OTP", + "userSetupAllowed" : false + } ] + }, { + "id" : "3382651b-cd94-4f59-ac6b-c86c5f37916e", + "alias" : "registration", + "description" : "registration flow", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "registration-page-form", + "authenticatorFlow" : true, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : true, + "flowAlias" : "registration form", + "userSetupAllowed" : false + } ] + }, { + "id" : "0b1ddf44-0571-4077-be09-c5034a11bcb0", + "alias" : "registration form", + "description" : "registration form", + "providerId" : "form-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "registration-user-creation", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "registration-password-action", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 50, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "registration-recaptcha-action", + "authenticatorFlow" : false, + "requirement" : "DISABLED", + "priority" : 60, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "registration-terms-and-conditions", + "authenticatorFlow" : false, + "requirement" : "DISABLED", + "priority" : 70, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + }, { + "id" : "0cb25b58-a1c5-4435-8e4c-3dc5b76bf7e5", + "alias" : "reset credentials", + "description" : "Reset credentials for a user if they forgot their password or something", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "reset-credentials-choose-user", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "reset-credential-email", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 20, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticator" : "reset-password", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 30, + "autheticatorFlow" : false, + "userSetupAllowed" : false + }, { + "authenticatorFlow" : true, + "requirement" : "CONDITIONAL", + "priority" : 40, + "autheticatorFlow" : true, + "flowAlias" : "Reset - Conditional OTP", + "userSetupAllowed" : false + } ] + }, { + "id" : "5f308482-fe5e-4d4e-82ae-e65bbd2775f6", + "alias" : "saml ecp", + "description" : "SAML ECP Profile Authentication Flow", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "http-basic-authenticator", + "authenticatorFlow" : false, + "requirement" : "REQUIRED", + "priority" : 10, + "autheticatorFlow" : false, + "userSetupAllowed" : false + } ] + } ], + "authenticatorConfig" : [ { + "id" : "14781383-38bd-4cca-9717-f9a2c0ce74a6", + "alias" : "create unique user config", + "config" : { + "require.password.update.after.registration" : "false" + } + }, { + "id" : "33b3a707-b5e4-4e06-9b20-837e4620da29", + "alias" : "review profile config", + "config" : { + "update.profile.on.first.login" : "missing" + } + } ], + "requiredActions" : [ { + "alias" : "CONFIGURE_TOTP", + "name" : "Configure OTP", + "providerId" : "CONFIGURE_TOTP", + "enabled" : true, + "defaultAction" : false, + "priority" : 10, + "config" : { } + }, { + "alias" : "TERMS_AND_CONDITIONS", + "name" : "Terms and Conditions", + "providerId" : "TERMS_AND_CONDITIONS", + "enabled" : false, + "defaultAction" : false, + "priority" : 20, + "config" : { } + }, { + "alias" : "UPDATE_PASSWORD", + "name" : "Update Password", + "providerId" : "UPDATE_PASSWORD", + "enabled" : true, + "defaultAction" : false, + "priority" : 30, + "config" : { } + }, { + "alias" : "UPDATE_PROFILE", + "name" : "Update Profile", + "providerId" : "UPDATE_PROFILE", + "enabled" : true, + "defaultAction" : false, + "priority" : 40, + "config" : { } + }, { + "alias" : "VERIFY_EMAIL", + "name" : "Verify Email", + "providerId" : "VERIFY_EMAIL", + "enabled" : true, + "defaultAction" : false, + "priority" : 50, + "config" : { } + }, { + "alias" : "delete_account", + "name" : "Delete Account", + "providerId" : "delete_account", + "enabled" : false, + "defaultAction" : false, + "priority" : 60, + "config" : { } + }, { + "alias" : "webauthn-register", + "name" : "Webauthn Register", + "providerId" : "webauthn-register", + "enabled" : true, + "defaultAction" : false, + "priority" : 70, + "config" : { } + }, { + "alias" : "webauthn-register-passwordless", + "name" : "Webauthn Register Passwordless", + "providerId" : "webauthn-register-passwordless", + "enabled" : true, + "defaultAction" : false, + "priority" : 80, + "config" : { } + }, { + "alias" : "VERIFY_PROFILE", + "name" : "Verify Profile", + "providerId" : "VERIFY_PROFILE", + "enabled" : true, + "defaultAction" : false, + "priority" : 90, + "config" : { } + }, { + "alias" : "delete_credential", + "name" : "Delete Credential", + "providerId" : "delete_credential", + "enabled" : true, + "defaultAction" : false, + "priority" : 100, + "config" : { } + }, { + "alias" : "update_user_locale", + "name" : "Update User Locale", + "providerId" : "update_user_locale", + "enabled" : true, + "defaultAction" : false, + "priority" : 1000, + "config" : { } + } ], + "browserFlow" : "browser", + "registrationFlow" : "registration", + "directGrantFlow" : "direct grant", + "resetCredentialsFlow" : "reset credentials", + "clientAuthenticationFlow" : "clients", + "dockerAuthenticationFlow" : "docker auth", + "firstBrokerLoginFlow" : "first broker login", + "attributes" : { + "cibaBackchannelTokenDeliveryMode" : "poll", + "cibaExpiresIn" : "120", + "cibaAuthRequestedUserHint" : "login_hint", + "parRequestUriLifespan" : "60", + "cibaInterval" : "5", + "realmReusableOtpCode" : "false" + }, + "keycloakVersion" : "25.0.5", + "userManagedAccessAllowed" : false, + "organizationsEnabled" : false, + "clientProfiles" : { + "profiles" : [ ] + }, + "clientPolicies" : { + "policies" : [ ] + } +} \ No newline at end of file